I'm currently developing a React-Native app (first for IOS) and I have to do an API request on a FHIR connector (medical standard). This API uses a TLS certificate generated by the PKI of my state that is by default not trusted by IOS. I added manually the root certificate G1, the second certificate G2, and the certificate of the API URL.
After it, I trusted the Root certificate using this explanation of the apple support : https://support.apple.com/en-us/HT204477
From now I thought that it was ready to be used and I checked with Chrome and now I have the following error: NET::ERR_CERT_VALIDITY_TOO_LONG
I don't have access to the PKI so I can't generate a certificate with a lowest validity time. After some research I found this :
https://support.apple.com/en-us/HT210176
That explains the requirements of certificate TLS to be validated by the OS. I thought that there is no solution except generate a new certificate but I found this :
https://support.apple.com/en-us/HT211025
That explains that the certificate installed manually by a user doesn't have to respect the validity of 398 days.
I'm a bit confuse ...
My certificate validity time is 10 years.
My application React-native work fine with http, but i have the following error with https :
[connection] nw_socket_handle_socket_event [C7:1] Socket SO_ERROR [61: Connection refused]
[connection] nw_connection_get_connected_socket [C7] Client called nw_connection_get_connected_socket on unconnected nw_connection
TCP Conn 0x2835e42c0 Failed : error 0:61 [61]
[native] [GESTURE HANDLER] Initialize gesture handler for root view <RCTRootContentView: 0x106d05890; reactTag: 11; frame = (0 0; 834 1194); gestureRecognizers = <NSArray: 0x280c16640>; layer = <CALayer: 0x280303060>>
Connection 12: default TLS Trust evaluation failed(-9807)
Connection 12: TLS Trust encountered error 3:-9807
Connection 12: encountered error(3:-9807)
Connection 12: unable to determine interface type without an established connection
Task <344A51D7-3F78-47DF-94E4-4A70D6B4E026>.<4> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9807])
Task <344A51D7-3F78-47DF-94E4-4A70D6B4E026>.<4> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<API URL REQUEST>” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
"<cert(0x104814000) s: <API URL CERTIF> i: <CERTIF G2>>",
"<cert(0x104811000) s: <CERTIF G2> i: <CERTIF ROOT G1>>",
"<cert(0x10488d000) s: <CERTIF ROOT G1> i: <CERTIF ROOT G1>>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=<API URL>, NSErrorFailingURLStringKey=<API UTL>, NSUnderlyingError=0x280c36310 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x2830f7330>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x104814000) s: <API URL CERTIF> i: <CERTIF G1>>",
"<cert(0x104811000) s: <CERTIF G2> i: <CERTIF G1>",
"<cert(0x10488d000) s: <CERTIF G1> i: <CERTIF G1>"
)}},
The question is : Am i doing something wrong or is there any way to use this certificate (10 years validity time) for my application ?
Thank you for helping me
If you are using a self signed cert, you have to enable your IOS device to trust it:
For this, open again the iOS Settings app. Then navigate to “General” > “About” > “Certificate Trust Settings”. In the section “Enable Full Trust for Root Certificates”, enable your root certificate. With this, your app can connect now with the self-signed certificate to the backend.
I finally had access to the PKI to generate a TLS certificate with a shorter validity time and this solved my problem. Now the certificate is accepted by IOS.
I strongly think that there is no other solutions.
Related
I am developing a web service and iOS app that hits the web service on my local machine. At first, I disabled the cleartext errors for interacting with the service, but now I would like to use https so that my development, test, and prod environments are as similar as possible.
I installed my self-signed cert locally, so going to the site directly is using https just fine:
I have followed the instructions to install a cert in the iPhone simulator:
However, when I hit the web service on my local machine that uses this cert, I still get these error in the console:
2020-10-17 09:59:10.891496-0500 cttios[45481:2146304] [] nw_protocol_get_quic_image_block_invoke dlopen libquic failed
2020-10-17 09:59:10.899475-0500 cttios[45481:2146304] ATS failed system trust
2020-10-17 09:59:10.899583-0500 cttios[45481:2146304] Connection 1: system TLS Trust evaluation failed(-9802)
2020-10-17 09:59:10.899744-0500 cttios[45481:2146304] Connection 1: TLS Trust encountered error 3:-9802
2020-10-17 09:59:10.900077-0500 cttios[45481:2146304] Connection 1: encountered error(3:-9802)
2020-10-17 09:59:10.901405-0500 cttios[45481:2146304] Task <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802])
2020-10-17 09:59:10.904343-0500 cttios[45481:2146304] Task <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
"<cert(0x7ff4ce854600) s: cttweb.test i: Homestead homestead Root CA>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://cttweb.test/api/v1/login, NSErrorFailingURLStringKey=https://cttweb.test/api/v1/login, NSUnderlyingError=0x600001123ab0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600002d55cb0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x7ff4ce854600) s: cttweb.test i: Homestead homestead Root CA>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600002d55cb0>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
Login api error: An SSL error has occurred and a secure connection to the server cannot be made.
Optional(["task": ["Login api error: An SSL error has occurred and a secure connection to the server cannot be made."]])
I have tried restarting the simulator after installing the cert, same result. What am I doing wrong?
It looks like I may not be trusting the cert even after installing it, but I can't find a way to trust it.
The problem is that I had the website cert installed, but not the CA cert generated for my local web server installed. That was as easy as dragging the CA root cert into Safari on the simulator.
I've been trying to get the iOS simulator to play nice with our internal dev servers.
I've installed the root CA by dragging it to the simulator. It's enabled by default but I toggled it on/off anyway just to be sure.
I connected via safari and got the error in the title. Connected via the app (actually XCTest) and got:
2020-03-30 11:45:53.001800+0300 xctest[20258:5222958] [] nw_coretls_callback_handshake_message_block_invoke_3 tls_handshake_continue: [-9812]
2020-03-30 11:45:53.001 xctest[20258:5222959] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
2020-03-30 11:45:53.004 xctest[20258:5222951] Error in <file/line>: Optional(Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<domain>” which could put your confidential information at risk." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fd53fd12480>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, NSErrorPeerCertificateChainKey=(
"<cert(0x7fd546009200) s: <domain> i: <CA>>"
), NSUnderlyingError=0x7fd541a157e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fd53fd12480>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x7fd546009200) s: <domain> i: <CA>>"
)}}, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<domain>” which could put your confidential information at risk., NSErrorFailingURLKey=https://<url>, NSErrorFailingURLStringKey=<url>, NSErrorClientCertificateStateKey=0})
I've connected from chrome on Mac and it works fine. I actually copied the CA from the mac's keychain to the simulator.
Went over the checklist from https://support.apple.com/en-us/HT210176:
key size = 4096
hash algorithm is SHA-256 RSA
there's a DNS name in the SAN (but also in CN). It says CN names are not trusted but it doesn't say they're not allowed.
There's a value in EKU
It's valid for two years
I've also compared the certificate as presented in Safari iOS to that in Chrome Mac. Looks fine.
Finally, I've installed 10.3 on the simulator just to rule out some new bug/restriction.
Running on Catalina/Xcode 11.4
I'd appreciate help in one of the following:
An actual solution
Help diagnosing this. A link to more up to date requirements or a tool to see why the cert is failing.
The application I am currently working on is throwing an error when redirected to Payfort. This issue is seen on iOS but works properly on android. Additionally the redirection error/issue is not seen on the sandbox but rather observed on the production environment.
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “paymentservices.payfort.com” which could put your confidential information at risk." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600001894a20>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, NSErrorPeerCertificateChainKey=(
"<cert(0x7f828303b600) s: paymentservices.payfort.com i: Symantec Class 3 Secure Server CA - G4>",
"<cert(0x7f8283185a00) s: Symantec Class 3 Secure Server CA - G4 i: VeriSign Class 3 Public Primary Certification Authority - G5>"
), NSUnderlyingError=0x600002669530 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600001894a20>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x7f828303b600) s: paymentservices.payfort.com i: Symantec Class 3 Secure Server CA - G4>",
"<cert(0x7f8283185a00) s: Symantec Class 3 Secure Server CA - G4 i: VeriSign Class 3 Public Primary Certification Authority - G5>"
)}}, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “paymentservices.payfort.com” which could put your confidential information at risk., NSErrorFailingURLKey=https://paymentservices.payfort.com/FortAPI/paymentApi, NSErrorFailingURLStringKey=https://paymentservices.payfort.com/FortAPI/paymentApi, NSErrorClientCertificateStateKey=0}
The certificate for this server is invalid.
Contact the support staff at payfort.com and tell them their Symantec certificate is no longer accepted, due to security concerns. See e.g. https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
I am working on the server side of a system here, but I have an iOS question. There is a team (Different time zone, so not online now) who are calling a REST API I provide, using an iOS app. iOS 12, I am pretty sure. They mailed me earlier to say that it's "Hanging" and send me the following log. I know iOS doesn't like self-signed certs, so I made a custom CA, and signed a cert for my server. I sent them the Custom CAs, (Issuing and Root) and they appear to have installed them correctly as profiles on iOS. Does the trace below make any sense to anyone? I know this a bit hand-wavy, but we are up against the wire on a regulatory project, and I'd really appreciate any insight that I could offer to my App Development friends.
Error Domain=org.openid.appauth.general Code=-5 "(null)" UserInfo={NSUnderlyingError=0x280d86bb0 {Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x2831eb180>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<cert(0x13e094e00) s: rhaxwayvd1.mid.xxx i: XXX plc Issuing CA 1>",
"<cert(0x13e095800) s: XXX plc Issuing CA 1 i: XXX plc Root CA>",
"<cert(0x13e096200) s: XXX plc Root CA i: XXX plc Root CA>"
), NSUnderlyingError=0x280d85b30 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x2831eb180>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x13e094e00) s: rhaxwayvd1.mid.xxx i: XXX plc Issuing CA 1>",
"<cert(0x13e095800) s: XXX plc Issuing CA 1 i: AIB plc Root CA>",
"<cert(0x13e096200) s: XXX plc Root CA i: AIB plc Root CA>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://rhaxwayvd1.mid.xxx:8445/XXXApp/TokenExchange, NSErrorFailingURLStringKey=https://rhaxwayvd1.mid.xxx:8445/XXXApp/TokenExchange, NSErrorClientCertificateStateKey=0}}}
OK, lack of knowledge on my part, but I'll post the answer, in case it helps someone in future. Although I mailed the Custom CA Cert to the iOS tester, and he installed it as a profile, that's not enough.
It is necessary to specify that you trust this CA on the device. This is done by navigating on the device settings to:
settings->general->about->Certificate Trust Settings
There you will see the newly installed Custom CA. It is switched off by default, so needs to be switched on.
I'm using the new FireBase SDK introduced at I/O 2016 and I'm getting this error after integrating with my app. This happens at app launch.
2016-08-06 06:28:06.237 MyApp[49084:2511094] CFNetwork SSLHandshake failed (-9806)
2016-08-06 06:28:06.238 MyApp[49084:2511094] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)
2016-08-06 06:28:06.453 MyApp[49084:2511094] CFNetwork SSLHandshake failed (-9806)
2016-08-06 06:28:06.454 MyApp[49084:2511094] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)
2016-08-06 06:28:06.854 MyApp[49084:2510825] <Firebase/Network/ERROR> Encounter network error. Error: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x7bf93200 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorCodeKey=-9806, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7bc97840>, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7bcf2420 [0x477d1f8]>{type = immutable, count = 3, values = (
0 : <cert(0x7bc96990) s: *.googleapis.com i: Google Internet Authority G2>
1 : <cert(0x7bc96fb0) s: Google Internet Authority G2 i: GeoTrust Global CA>
2 : <cert(0x7bc97360) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>)}}}, _kCFStreamErrorCodeKey=-9806, NSErrorFailingURLStringKey=https://play.googleapis.com/log, NSErrorPeerCertificateChainKey=<CFArray 0x7bcf2420 [0x477d1f8]>{type = immutable, count = 3, values = (
0 : <cert(0x7bc96990) s: *.googleapis.com i: Google Internet Authority G2>
1 : <cert(0x7bc96fb0) s: Google Internet Authority G2 i: GeoTrust Global CA>
2 : <cert(0x7bc97360) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7bc97840>, NSErrorFailingURLKey=https://play.googleapis.com/log}
2016-08-06 06:28:06.856 MyApp[49084:] <FIRAnalytics/ERROR> Encounter network error. Error: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x7b968c00 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorCodeKey=-9806, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7b9abbb0>, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7b8a2420 [0x477d1f8]>{type = immutable, count = 3, values = (
0 : <cert(0x7b9aaf40) s: *.google-analytics.com i: Google Internet Authority G2>
1 : <cert(0x7b9ab280) s: Google Internet Authority G2 i: GeoTrust Global CA>
2 : <cert(0x7b9ab630) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>
)}}}, _kCFStreamErrorCodeKey=-9806, NSErrorFailingURLStringKey=https://app-measurement.com/config/app/1:926356559846:ios:74ac6682756d2bd6?app_instance_id=7590DD8CDAF44A3ABE3F39478A9EB2BE&platform=ios&gmp_version=3201, NSErrorPeerCertificateChainKey=<CFArray 0x7b8a2420 [0x477d1f8]>{type = immutable, count = 3, values = (
0 : <cert(0x7b9aaf40) s: *.google-analytics.com i: Google Internet Authority G2>
1 : <cert(0x7b9ab280) s: Google Internet Authority G2 i: GeoTrust Global CA>
2 : <cert(0x7b9ab630) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>
)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7b9abbb0>, NSErrorFailingURLKey=https://app-measurement.com/config/app/1:926356559846:ios:74ac6682756d2bd6?app_instance_id=7590DD8CDAF44A3ABE3F39478A9EB2BE&platform=ios&gmp_version=3201}
This is caused by App Transport Security on iOS 9+. Apple imposed restrictions on SSL certificates that not all servers meet.
If you owned the server that is generating this message, I would advise updating to a more secure, modern SSL server certificate. But since it is Google/Firebase's server, all we can do is disable App Transport Security specifically for this domain.
Here is the part listing the domain:
NSErrorFailingURLStringKey=https://app-measurement.com...
You need to add this domain to your Info.plist file as follows:
<key>NSExceptionDomains</key>
<dict>
<!-- Firebase/Google Analytics server - Disables App Transport Security for this specific domain -->
<key>app-measurement.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
Keep in mind that allowing insecure connections from a third-party server does potentially introduce a security vulnerability to your app. However, if you are not sending any sensitive data to the Analytics server (which you shouldn't do anyway), then the exposure should be minimal.
According to Apple's ATS documentation, including any ATS exceptions will trigger a review the next time you submit to the App Store, so you may want to consider that as well.
The problem is with the network. Sometimes the network condition is too slow that the network times out and the SSL checking cannot be made on time. This also happens more often on iOS 9.x which requires better security. What kind of iOS version and which device did you run it on? Did it happen all the time at start?
Check bundle identifier with correct signing certificate. might help.