Connecting to VPN servers using non-public certificates on iOS 18.4 / macOS 15.4

iOS 18.4 / macOS 15.4 introduced new requirements on server certificates (leaf certificate) used in TLS connections. If your VPN server is using a self-signed certificate or a certificate issued by a non-public CA, you are likely affected.

What are the requirements

• For RSA certificates, Digital Signature and Key Encipherment must be set if the certificate contains a Key Usage extension.
• For ECDSA certificates, Digital Signature must be set if the certificate contains a Key Usage extension.

Source: https://support.apple.com/en-us/121158

Impact

VPN servers using certificates issued by public CAs are most likely not affected because they are always generated with the correct key usages.

Certificates generated by SoftEther VPN are not affected.

Connections to an affected server may end up with timeout errors. It does not matter if you have enabled TLS verification.

Solution

If the server certificate lacks the required usages, it needs to be regenerated. Currently there is no way to ignore / bypass the error.

Why is SSTP Connect affected

Unlike some other VPN apps, SSTP Connect uses the native TLS library on your iOS / macOS, instead of a 3rd party library such as OpenSSL. The native TLS library gets updated with your iOS / macOS.

Future

We have filed a bug report to Apple on this issue, demanding that the new requirements should be allowed to bypass just like other certificate errors. For the time being, we are not going to release an update. However, we will consider other solutions if the change is permanent.