SSL failing with Allow Arbitrary Loads = false - ios

As per my requirement i should not make Allow Arbitrary Loads = true. So i set to false.
And i am allowing the trust certificate on my URLsession delegate.
My url : https://sample-app.10.names.io
code :
public func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: #escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
//Trust the certificate even if not valid
let urlCredential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
completionHandler(.useCredential, urlCredential)
}
My error :
Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,
If I make Allow Arbitrary Loads = true, then only its working. But as per my requirement i should not change to true. Any suggestion would be helpful.
Thanks
Update:
I tried this below too :
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>https://sample-app.10.names.io</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow HTTP requests-->
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>

You can use the terminal command
nscurl --ats-diagnostics --verbose https://sample-app.10.names.io
to test your server for ATS compliance.
Doing so reveals that your server only passes when perfect forward secrecy is disabled. It would seem that your server does not support ECDHE ciphers.
You can configure ATS to ignore the perfect forward secrecy requirement by specifying NSExceptionRequiresForwardSecrecy in your ATS configuration exception domains, but really you should patch your server to use newer TLS code. Otherwise it is vulnerable to replay MITM attacks.

If you are actively using Alamofire in your project, I suggest you use the built-in Session that can be configured to use your server trust certificate without much hassle. Here is some code on how it is setup in one of my projects.
class SessionManagerProvider {
// MARK: - State
let hosts: [String]
let disableEvaluation: Bool
// MARK: - Init
init(urls: [URL], disableEvaluation: Bool = false) {
hosts = urls.compactMap { $0.host }
self.disableEvaluation = disableEvaluation
}
// MARK: - Factory
func make() -> Session {
// Configure network client with SSL pinning.
let configuration = URLSessionConfiguration.af.default
configuration.timeoutIntervalForRequest = Constants.Backend.timeoutIntervalForRequest
configuration.timeoutIntervalForResource = Constants.Backend.timeoutIntervalForResource
// Allow more connections than API requests to avoid an issue, when URLSession starts to
// time-out requests when there are too many connections.
configuration.httpMaximumConnectionsPerHost = Constants.maxConcurrentApiCalls * 2
let policies = serverTrustPolicies(disableEvaluation: disableEvaluation)
let securityManager = ServerTrustManager(evaluators: policies)
let sessionManager = Session(configuration: configuration, serverTrustManager: securityManager)
return sessionManager
}
private func serverTrustPolicies(disableEvaluation: Bool) -> [String: ServerTrustEvaluating] {
var policies: [String: ServerTrustEvaluating] = [:]
for host in hosts {
if disableEvaluation {
policies[host] = DisabledTrustEvaluator()
} else {
policies[host] = PublicKeysTrustEvaluator(
performDefaultValidation: true,
validateHost: true
)
}
}
return policies
}
}

Related

How to trust an endpoint iOS swift

I'm calling an endpoint that has a self-signed ssl certificate i have tried adding this in my info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
But i am still not able to access the endpoint i keep getting this
NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “endpoint” which could put your confidential information at risk.
You need to create a session manager and tell it to disable evaluation of the ssl in that server.
Something like this
static var manager: Alamofire.SessionManager = {
let serverTrustPolicies: [String: ServerTrustPolicy] = [
"https://example.com": .disableEvaluation
]
let configuration = URLSessionConfiguration.default
configuration.httpAdditionalHeaders = Alamofire.SessionManager.defaultHTTPHeaders
let manager = Alamofire.SessionManager(
configuration: URLSessionConfiguration.default,
serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
)
return manager
}()
An then, instead of calling request in Alamofire, like this
Alamofire.request("https://example.com", method: .get…
you call it in your manager
manager.request("https://example.com"…

Certificate Invalid Issue with Alamofire 4.0

I am trying to consume web services for my iOS app over https. The web server uses a self signed certificate.
When consuming the web service, I get the error “certificate is Invalid”.
FAILURE: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “portal” which could put your confidential information at risk."
I know the best practise is to fix this at the server side to enable a trusted root CA. But as this is a temporary development environment, we are using a self signed certificate.
Since this is ATS issue, I have edited ATS in my info.plist as below.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>devportal</key>
<dict>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
</dict>
</plist>
As the NSException domains doesn’t work with IP and port number, I have created a host entry in my etc/hosts file for the web server IP and consuming it like https://devportal:8443/rest/login instead of consuming it as https://192.22.xx.xxx:8443/rest/login
I have followed alamofire documentation on server trust policies, edited ATS to allow exception domains but nothing worked out for me. I have spent over 3 days on this issue. Am I missing something? Does anybody faced a similar issue? Is there any solution for this? Thanks in advance
I am using almofire 4.0, Xcode 8.0. Below is my code.
class LoginService{
private static var Manager: Alamofire.SessionManager = {
let pathToCert = Bundle.main.path(forResource: "192.22.xx.xxx", ofType: "crt") // Downloaded this certificate and have added to my bundle
let localCertificate:NSData = NSData(contentsOfFile: pathToCert!)!
// Create the server trust policies
let serverTrustPolicies: [String: ServerTrustPolicy] = [
"192.22.xx.xxx": .pinCertificates(
certificates: [SecCertificateCreateWithData(nil, localCertificate)!],
validateCertificateChain: true,
validateHost: true
),
"devportal:8443": .disableEvaluation
]
// Create custom manager
let configuration = URLSessionConfiguration.default
configuration.httpAdditionalHeaders = Alamofire.SessionManager.defaultHTTPHeaders
let manager = Alamofire.SessionManager(
configuration: URLSessionConfiguration.default,
serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
)
return manager
}()
/**
Calls the Login Web Service to authenticate the user
*/
public func login(username:String, password: String){
let parameters = [
"username": "TEST",
"password": "PASSWORD",
]
let header: HTTPHeaders = ["Accept": "application/json"]
LoginService.Manager.request("https://devportal:8443/rest/login", method: .post, parameters: parameters, encoding: JSONEncoding(options: []),headers :header).responseJSON { response in
debugPrint(response)
if let json = response.result.value {
print("JSON: \(json)")
}
}
}
}
I modified my code like below and it worked. I referred Swift: How to Make Https Request Using Server SSL Certificate for fixing this issue.
class LoginService{
private static var Manager: Alamofire.SessionManager = {
// Create the server trust policies
let serverTrustPolicies: [String: ServerTrustPolicy] = [
"devportal:8443": .disableEvaluation
]
// Create custom manager
let configuration = URLSessionConfiguration.default
configuration.httpAdditionalHeaders = Alamofire.SessionManager.defaultHTTPHeaders
let manager = Alamofire.SessionManager(
configuration: URLSessionConfiguration.default,
serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
)
return manager
}()
/**
Calls the Login Web Service to authenticate the user
*/
public func login(username:String, password: String){
// Handle Authentication challenge
let delegate: Alamofire.SessionDelegate = LoginService.Manager.delegate
delegate.sessionDidReceiveChallenge = { session, challenge in
var disposition: URLSession.AuthChallengeDisposition = .performDefaultHandling
var credential: URLCredential?
if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
disposition = URLSession.AuthChallengeDisposition.useCredential
credential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
} else {
if challenge.previousFailureCount > 0 {
disposition = .cancelAuthenticationChallenge
} else {
credential = LoginService.Manager.session.configuration.urlCredentialStorage?.defaultCredential(for: challenge.protectionSpace)
if credential != nil {
disposition = .useCredential
}
}
}
return (disposition, credential)
}
//Web service Request
let parameters = [
"username": "TEST",
"password": "PASSWORD",
]
let header: HTTPHeaders = ["Accept": "application/json"]
LoginService.Manager.request("https://devportal:8443/rest/login", method: .post, parameters: parameters, encoding: JSONEncoding(options: []),headers :header).responseJSON { response in
debugPrint(response)
if let json = response.result.value {
print("JSON: \(json)")
}
}
}
}
You should also configure your plist as below
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>devportal</key>
<dict>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
</dict>
</plist>
Do not enter IP or port numbers in your NSExceptiondomains. It won't
work. If you are trying to connect to a web server with IP address,
map the IP address to a domain by adding a host entry in etc/hosts
file in your mac and then use the domain name in NSExceptionDomains
IMPORTANT: Do not use this code in production as this puts your users
information at risk, by bypassing auth challenge.
Not suggesting for production use-cases
//Use this manager class
class APIManager {
static var Manager: Alamofire.Session = {
let manager = ServerTrustManager(evaluators: ["your endpoint": DisabledTrustEvaluator()])
let session = Session(serverTrustManager: manager)
return session
}()
}
//Call APIs using this manager
APIManager.Manager.request("API")

Alamofire 4 FAILURE: Error Domain=NSURLErrorDomain Code=-999 "cancelled"

Hi I am try to use Alamofire for my project but the error come out.
Here is my requesting code
//Google testing
Alamofire.request("http://google.com").responseString{
response in
debugPrint(response)
}.session.invalidateAndCancel()
Result]: FAILURE: Error Domain=NSURLErrorDomain Code=-999 "cancelled"
UserInfo={NSErrorFailingURLKey=http://google.com/,
NSLocalizedDescription=cancelled,
NSErrorFailingURLStringKey=http://google.com/}
//Own server testing
Alamofire.request("https://10.68.24.127:4533").responseString{
response in
debugPrint(response)
}.session.invalidateAndCancel()
same result
class NetworkManager {
var manager: SessionManager?
init() {
let serverTrustPolicies: [String: ServerTrustPolicy] = [
"https://10.68.24.127:4533" : .disableEvaluation
]
let configuration = URLSessionConfiguration.default
manager = Alamofire.SessionManager(
configuration: configuration,
serverTrustPolicyManager :ServerTrustPolicyManager(policies: serverTrustPolicies)
)
}
}
I set the NSAllowsArbitraryLoads to true and NSExceptionDomains.
Where is the problem?
There could be a lot of reason to why your requests "cancelled".
If you are facing that a request cancels immediately you can refer to this issue in Alamofire repository issues
jshier commented on Oct 10, 2016
An unexpected error -999 almost always means your SessionManager was
deallocated, cancelling any ongoing requests. I suggest you create a
singleton value for your custom SessionManager, or perhaps just
reevaluate if you really need one.
if you create a singleton value for your object it remains in memory and prevent from deallocate
and another thing that i avoid is to name your variables diffrent, a sessionManager is in Alamofire and your variable is also called sessionManager.
Alamofire 4.7 , Swift 4
import Alamofire
class Networking {
public static let sharedManager: SessionManager = {
let configuration = URLSessionConfiguration.default
configuration.timeoutIntervalForRequest=20
let manager = Alamofire.SessionManager(configuration: configuration, delegate: SessionManager.default.delegate)
return manager
}()
}
Alamofire 5.4.4 , Siwft 5.2
import Alamofire
class Networking {
static let APIManager: Session = {
let configuration = URLSessionConfiguration.default
configuration.timeoutIntervalForRequest = 20
let delegate = Session.default.delegate
let manager = Session.init(configuration: configuration,
delegate: delegate,
startRequestsImmediately: true,
cachedResponseHandler: nil)
return manager
}()
}
Check this documentation from Alamofire app-transport-security
try to add the following in your .plist file
<key>NSAppTransportSecurity</key><dict>
<key>NSExceptionDomains</key>
<dict>
<key>url.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
Most likely you should be checking if there is an implementation of authentication challenge delegate method and check if its calling NSURLSessionAuthChallengeCancelAuthenticationChallenge.
- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * _Nullable credential))completionHandler

Swift: How to Make Https Request Using Server SSL Certificate

Hi I want to make Https Request in Swift. Currently im accessing local server through ip address. Local Server has one SSL Certificate by accessing the certificate want to make request to server currently im doing like this.
Alamofire.request(.GET, https://ipaddress//, parameters: [param], headers: headers)
.responseJSON { response in
print(response.request) // original URL request
print(response.response) // URL response
print(response.data) // server data
print(response.result) // result of response serialization
if let JSON = response.result.value {
print("JSON: \(JSON)")
}
}
I have used the above code for making request and in plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>192.168.2.223:1021(my local ip)</key>
<dict>
Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow insecure HTTP requests-->
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
in plist i have given like this but im still getting error like
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
IMPORTANT: DO NOT USE THIS IN PRODUCTION. Basically, with Alamofire, you can bypass the authentication for app development and testing purpose. Make sure you remove it before the app is on the App Store or in production:-
func bypassURLAuthentication() {
let manager = Alamofire.Manager.sharedInstance
manager.delegate.sessionDidReceiveChallenge = { session, challenge in
var disposition: NSURLSessionAuthChallengeDisposition = .PerformDefaultHandling
var credential: NSURLCredential?
if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
disposition = NSURLSessionAuthChallengeDisposition.UseCredential
credential = NSURLCredential(forTrust: challenge.protectionSpace.serverTrust!)
} else {
if challenge.previousFailureCount > 0 {
disposition = .CancelAuthenticationChallenge
} else {
credential = manager.session.configuration.URLCredentialStorage?.defaultCredentialForProtectionSpace(challenge.protectionSpace)
if credential != nil {
disposition = .UseCredential
}
}
}
return (disposition, credential)
}
}
Thank You!
Let me know if this helps. :)

XCode 7/iOS 9: how to enable self signed certificate for NSURLSession

In order to test my app I set up a server Apache 2.4.12 with TLS 1.2 and a self signed certificate. The problem is that when I run my app and I try to communicate with my local server I get this error:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
nil
Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo= {NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?...
and this is because a self signed certificate in not reliable of corse. I had read somewhere here in stackoverflow that, in the class where I use the NSURLSession(), I had to add the following delegate:
func URLSession(session: NSURLSession,
task: NSURLSessionTask,
didReceiveChallenge challenge: NSURLAuthenticationChallenge,
completionHandler: (NSURLSessionAuthChallengeDisposition, NSURLCredential?)
-> Void) {
completionHandler(NSURLSessionAuthChallengeDisposition.UseCredential, NSURLCredential(forTrust: challenge.protectionSpace.serverTrust!))
}
and then perform:
func requestLoginWithURL (requestURL: NSURL, completionHandler: (success: Bool?) -> Void) {
let configuration =
NSURLSessionConfiguration.defaultSessionConfiguration()
let urlRequest: NSURLRequest = NSURLRequest(URL: requestURL)
let session = NSURLSession(configuration: configuration, delegate: self, delegateQueue:NSOperationQueue.mainQueue())
/*
dataTaskWithRequest: creates an HTTP request for the specified URL request object, and calls a handler upon completion.
*/
let task = session.dataTaskWithRequest( ...)
}
but it seems that this doesn't work anyway. So I was wondering if there was a way to force the self assigned certificate to be accepted without adding that xml code to info.plist to disable any form secure communication.
Here's httpd-ssl.conf in my server:
<VirtualHost *:443>
DocumentRoot "/Applications/AMPPS/www"
ServerName localhost
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCertificateFile "/Applications/AMPPS/apache/conf/server.crt"
SSLCertificateKeyFile "/Applications/AMPPS/apache/conf/server.key"
</VirtualHost>
Is there any way to make this work? Just to show my teacher that I am building my app accordant to iOS 9 ATS.
Thanks to all.
SOLUTION:
Add this to file info.plist which will force ATS to accept self signed certificate:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>localhost</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow HTTP requests-->
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/> -->
</dict>
</dict>
</dict>
However, as explain here this is not enough. In each class where you will use NSURLSession you have to declare the following delegate:
class LoginService: NSObject, NSURLSessionDelegate {
func URLSession(session: NSURLSession,
task: NSURLSessionTask,
didReceiveChallenge challenge: NSURLAuthenticationChallenge,
completionHandler: (NSURLSessionAuthChallengeDisposition, NSURLCredential?)
-> Void) {
completionHandler(NSURLSessionAuthChallengeDisposition.UseCredential, NSURLCredential(forTrust: challenge.protectionSpace.serverTrust!))
}
...
}
And then perform something like the following:
let configuration = NSURLSessionConfiguration.defaultSessionConfiguration()
let urlRequest: NSURLRequest = NSURLRequest(URL: requestURL)
let session = NSURLSession(configuration: configuration, delegate: self, delegateQueue:NSOperationQueue.mainQueue())
/*
dataTaskWithRequest: creates an HTTP request for the specified URL request object, and calls a handler upon completion.
*/
let task = session.dataTaskWithRequest(urlRequest...)
This works for me. Remember that you must use Apache 2.4.x because it's the only version supporting TLS 1.2.
Hope this will help.

Resources