I am trying to make my own network on top of the "test-network" provided in fabric-samples. Although the test-network runs fine, when i make my changes into it (like renaming org1 and org2 to some other names) all runs but the orderer container stops running after a few seconds,
docker logs for the container
2020-12-30 12:38:46.267 UTC [localconfig] completeInitialization -> WARN 001 General.GenesisFile should be replaced by General.BootstrapFile
2020-12-30 12:38:46.268 UTC [localconfig] completeInitialization -> INFO 002 Kafka.Version unset, setting to 0.10.2.0
2020-12-30 12:38:46.268 UTC [orderer.common.server] prettyPrintStruct -> INFO 003 Orderer config values:
General.ListenAddress = "0.0.0.0"
General.ListenPort = 7050
General.TLS.Enabled = true
General.TLS.PrivateKey = "/var/hyperledger/orderer/tls/server.key"
General.TLS.Certificate = "/var/hyperledger/orderer/tls/server.crt"
General.TLS.RootCAs = [/var/hyperledger/orderer/tls/ca.crt]
General.TLS.ClientAuthRequired = false
General.TLS.ClientRootCAs = []
General.TLS.TLSHandshakeTimeShift = 0s
General.Cluster.ListenAddress = ""
General.Cluster.ListenPort = 0
General.Cluster.ServerCertificate = ""
General.Cluster.ServerPrivateKey = ""
General.Cluster.ClientCertificate = "/var/hyperledger/orderer/tls/server.crt"
General.Cluster.ClientPrivateKey = "/var/hyperledger/orderer/tls/server.key"
General.Cluster.RootCAs = [/var/hyperledger/orderer/tls/ca.crt]
General.Cluster.DialTimeout = 5s
General.Cluster.RPCTimeout = 7s
General.Cluster.ReplicationBufferSize = 20971520
General.Cluster.ReplicationPullTimeout = 5s
General.Cluster.ReplicationRetryTimeout = 5s
General.Cluster.ReplicationBackgroundRefreshInterval = 5m0s
General.Cluster.ReplicationMaxRetries = 12
General.Cluster.SendBufferSize = 10
General.Cluster.CertExpirationWarningThreshold = 168h0m0s
General.Cluster.TLSHandshakeTimeShift = 0s
General.Keepalive.ServerMinInterval = 1m0s
General.Keepalive.ServerInterval = 2h0m0s
General.Keepalive.ServerTimeout = 20s
General.ConnectionTimeout = 0s
General.GenesisMethod = "file"
General.GenesisFile = "/var/hyperledger/orderer/orderer.genesis.block"
General.BootstrapMethod = "file"
General.BootstrapFile = "/var/hyperledger/orderer/orderer.genesis.block"
General.Profile.Enabled = false
General.Profile.Address = "0.0.0.0:6060"
General.LocalMSPDir = "/var/hyperledger/orderer/msp"
General.LocalMSPID = "OrdererMSP"
General.BCCSP.ProviderName = "SW"
General.BCCSP.SwOpts.SecLevel = 256
General.BCCSP.SwOpts.HashFamily = "SHA2"
General.BCCSP.SwOpts.Ephemeral = true
General.BCCSP.SwOpts.FileKeystore.KeyStorePath = ""
General.BCCSP.SwOpts.DummyKeystore =
General.BCCSP.SwOpts.InmemKeystore =
General.Authentication.TimeWindow = 15m0s
General.Authentication.NoExpirationChecks = false
FileLedger.Location = "/var/hyperledger/production/orderer"
FileLedger.Prefix = "hyperledger-fabric-ordererledger"
Kafka.Retry.ShortInterval = 5s
Kafka.Retry.ShortTotal = 10m0s
Kafka.Retry.LongInterval = 5m0s
Kafka.Retry.LongTotal = 12h0m0s
Kafka.Retry.NetworkTimeouts.DialTimeout = 10s
Kafka.Retry.NetworkTimeouts.ReadTimeout = 10s
Kafka.Retry.NetworkTimeouts.WriteTimeout = 10s
Kafka.Retry.Metadata.RetryMax = 3
Kafka.Retry.Metadata.RetryBackoff = 250ms
Kafka.Retry.Producer.RetryMax = 3
Kafka.Retry.Producer.RetryBackoff = 100ms
Kafka.Retry.Consumer.RetryBackoff = 2s
Kafka.Verbose = true
Kafka.Version = 0.10.2.0
Kafka.TLS.Enabled = false
Kafka.TLS.PrivateKey = ""
Kafka.TLS.Certificate = ""
Kafka.TLS.RootCAs = []
Kafka.TLS.ClientAuthRequired = false
Kafka.TLS.ClientRootCAs = []
Kafka.TLS.TLSHandshakeTimeShift = 0s
Kafka.SASLPlain.Enabled = false
Kafka.SASLPlain.User = ""
Kafka.SASLPlain.Password = ""
Kafka.Topic.ReplicationFactor = 1
Debug.BroadcastTraceDir = ""
Debug.DeliverTraceDir = ""
Consensus = map[SnapDir:/var/hyperledger/production/orderer/etcdraft/snapshot WALDir:/var/hyperledger/production/orderer/etcdraft/wal]
Operations.ListenAddress = "127.0.0.1:8443"
Operations.TLS.Enabled = false
Operations.TLS.PrivateKey = ""
Operations.TLS.Certificate = ""
Operations.TLS.RootCAs = []
Operations.TLS.ClientAuthRequired = false
Operations.TLS.ClientRootCAs = []
Operations.TLS.TLSHandshakeTimeShift = 0s
Metrics.Provider = "disabled"
Metrics.Statsd.Network = "udp"
Metrics.Statsd.Address = "127.0.0.1:8125"
Metrics.Statsd.WriteInterval = 30s
Metrics.Statsd.Prefix = ""
ChannelParticipation.Enabled = false
ChannelParticipation.RemoveStorage = false
2020-12-30 12:38:46.295 UTC [orderer.common.server] initializeServerConfig -> INFO 004 Starting orderer with TLS enabled
2020-12-30 12:38:46.658 UTC [orderer.common.server] Main -> INFO 005 Not bootstrapping the system channel because of existing channels
2020-12-30 12:38:46.761 UTC [orderer.common.server] selectClusterBootBlock -> INFO 006 Cluster boot block is bootstrap (genesis) block; Blocks Header.Number system-channel=0, bootstrap=0
2020-12-30 12:38:46.766 UTC [orderer.common.server] Main -> INFO 007 Starting with system channel: system-channel, consensus type: etcdraft
2020-12-30 12:38:46.766 UTC [orderer.common.server] Main -> INFO 008 Setting up cluster
2020-12-30 12:38:46.766 UTC [orderer.common.server] reuseListener -> INFO 009 Cluster listener is not configured, defaulting to use the general listener on port 7050
2020-12-30 12:38:46.766 UTC [orderer.common.server] reuseListener -> INFO 00a Cluster listener is not configured, defaulting to use the general listener on port 7050
2020-12-30 12:38:46.772 UTC [orderer.common.cluster] loadVerifier -> INFO 00b Loaded verifier for channel system-channel from config block at index 0
2020-12-30 12:38:46.772 UTC [certmonitor] trackCertExpiration -> INFO 00c The enrollment certificate will expire on 2021-12-30 12:39:00 +0000 UTC
2020-12-30 12:38:46.772 UTC [certmonitor] trackCertExpiration -> INFO 00d The server TLS certificate will expire on 2021-12-30 12:39:00 +0000 UTC
2020-12-30 12:38:46.772 UTC [certmonitor] trackCertExpiration -> INFO 00e The client TLS certificate will expire on 2021-12-30 12:39:00 +0000 UTC
2020-12-30 12:38:46.782 UTC [orderer.consensus.etcdraft] detectSelfID -> WARN 00f Could not find -----BEGIN CERTIFICATE-----
MIICyjCCAnGgAwIBAgIUYfzAFhIUFlpkY0tXOAZG+dNHwL0wCgYIKoZIzj0EAwIw
XjELMAkGA1UEBhMCUEsxDzANBgNVBAgTBlB1bmphYjEPMA0GA1UEBxMGTGFob3Jl
MRQwEgYDVQQKEwtzc2gtaGhtLmNvbTEXMBUGA1UEAxMOY2Euc3NjLWhobS5jb20w
HhcNMjAxMjMwMTIzNDAwWhcNMjExMjMwMTIzOTAwWjBgMQswCQYDVQQGEwJVUzEX
MBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMRAw
DgYDVQQLEwdvcmRlcmVyMRAwDgYDVQQDEwdvcmRlcmVyMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEGZ/xCBprojm/iSrRdNosCSvGR/3nLZ8mtqPlhkLCTZouptr0
RqYxFqMdCDQe0Sh8a0ZnwvB9cnSQiQpNQdcdBaOCAQkwggEFMA4GA1UdDwEB/wQE
AwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw
ADAdBgNVHQ4EFgQUOfdnd2a46tUDkeGYyILJ3hVlXlgwHwYDVR0jBBgwFoAUeDHp
ud9ZRsgehfOLprCK/Wpw0H8wKQYDVR0RBCIwIIITb3JkZXJlci5zc2MtaGhtLmNv
bYIJbG9jYWxob3N0MFsGCCoDBAUGBwgBBE97ImF0dHJzIjp7ImhmLkFmZmlsaWF0
aW9uIjoiIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlciIsImhmLlR5cGUiOiJv
cmRlcmVyIn19MAoGCCqGSM49BAMCA0cAMEQCID1dC/QtexQQDHyUcWh7b9Adti4l
P6XVl9P1V0PtByhAAiBh6UoaAmved5zr9rDvKbVPpte6N+2ANrbft9wV7UrAbw==
-----END CERTIFICATE-----
among [-----BEGIN CERTIFICATE-----
MIICZDCCAgugAwIBAgIRAKjhbRj45MuremeCXWn8wzIwCgYIKoZIzj0EAwIwbDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
cmFuY2lzY28xFDASBgNVBAoTC3NzYy1oaG0uY29tMRowGAYDVQQDExF0bHNjYS5z
c2MtaGhtLmNvbTAeFw0yMDEyMjkxMDM2MDBaFw0zMDEyMjcxMDM2MDBaMFgxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJh
bmNpc2NvMRwwGgYDVQQDExNvcmRlcmVyLnNzYy1oaG0uY29tMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEL/gYIN8w69hi/abMkdDmCBpJEhokhcPcx1mmICf8+9Aa
dSwfRpCbN4GQ71mOUwfh6U5PglXwMkJrXmn/TczaQKOBoTCBnjAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwKwYDVR0jBCQwIoAgVk5hX37poZ0h4MjMfqtYZte2PEoJs6DwR0lhPOXMBVsw
MgYDVR0RBCswKYITb3JkZXJlci5zc2MtaGhtLmNvbYIHb3JkZXJlcoIJbG9jYWxo
b3N0MAoGCCqGSM49BAMCA0cAMEQCIFGU5BMMpcmkIG1tmA3rwsm2h0Yn6bOT/GU9
oLxTg57iAiB9TaK9uBaYSF0GkpH+fvmhiQ0egSxRcwaXWi99C/V1rA==
-----END CERTIFICATE-----
]
2020-12-30 12:38:46.782 UTC [orderer.common.onboarding] TrackChain -> INFO 010 Adding system-channel to the set of chains to track
2020-12-30 12:38:46.782 UTC [orderer.commmon.multichannel] Initialize -> INFO 011 Starting system channel 'system-channel' with genesis block hash 8d267aa91012044d668ed2f377d485df675b181a5a02d10addf05ec9ef1c77fc and orderer type etcdraft
2020-12-30 12:38:46.783 UTC [orderer.common.server] Main -> INFO 012 Starting orderer:
Version: 2.2.1
Commit SHA: 344fda6
Go version: go1.14.4
OS/Arch: linux/amd64
2020-12-30 12:38:46.783 UTC [orderer.common.server] Main -> INFO 013 Beginning to serve requests
2020-12-30 12:38:56.775 UTC [orderer.common.onboarding] replicateDisabledChains -> INFO 014 Found 1 inactive chains: [system-channel]
2020-12-30 12:38:56.776 UTC [orderer.common.cluster] ReplicateChains -> INFO 015 Will now replicate chains [system-channel]
2020-12-30 12:38:56.786 UTC [orderer.common.cluster] discoverChannels -> INFO 016 Discovered 1 channels: [system-channel]
2020-12-30 12:38:56.786 UTC [orderer.common.cluster] channelsToPull -> INFO 017 Evaluating channels to pull: [system-channel]
2020-12-30 12:38:56.786 UTC [orderer.common.cluster] channelsToPull -> INFO 018 Probing whether I should pull channel system-channel
2020-12-30 12:38:56.790 UTC [core.comm] ServerHandshake -> ERRO 019 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=172.21.0.8:59898
2020-12-30 12:38:57.793 UTC [core.comm] ServerHandshake -> ERRO 01a TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=172.21.0.8:59900
2020-12-30 12:38:59.432 UTC [core.comm] ServerHandshake -> ERRO 01b TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=172.21.0.8:59902
2020-12-30 12:39:01.881 UTC [core.comm] ServerHandshake -> ERRO 01c TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=172.21.0.8:59904
2020-12-30 12:39:03.787 UTC [orderer.common.cluster.replication] probeEndpoint -> WARN 01d Failed connecting to {"CAs":[{"Expired":false,"Issuer":"self","Subject":"CN=tlsca.ssc-hhm.com,O=ssc-hhm.com,L=San Francisco,ST=California,C=US"}],"Endpoint":"orderer.ssc-hhm.com:7050"}: failed to create new connection: context deadline exceeded channel=system-channel
2020-12-30 12:39:03.788 UTC [orderer.common.cluster.replication] func1 -> WARN 01e Received error of type 'failed to create new connection: context deadline exceeded' from {"CAs":[{"Expired":false,"Issuer":"self","Subject":"CN=tlsca.ssc-hhm.com,O=ssc-hhm.com,L=San Francisco,ST=California,C=US"}],"Endpoint":"orderer.ssc-hhm.com:7050"} channel=system-channel
2020-12-30 12:39:03.788 UTC [orderer.common.cluster.replication] HeightsByEndpoints -> INFO 01f Returning the heights of OSNs mapped by endpoints map[] channel=system-channel
2020-12-30 12:39:03.788 UTC [orderer.common.cluster] channelsToPull -> WARN 020 Could not obtain blocks needed for classifying whether I am in the channel,skipping the retrieval of the chan system-channel
2020-12-30 12:39:03.788 UTC [orderer.common.cluster] ReplicateChains -> INFO 021 Found myself in 0 channels out of 1 : {[] [{system-channel 0xc0006e7580}]}
2020-12-30 12:39:03.788 UTC [orderer.common.cluster] appendBlock -> INFO 022 Skipping commit of block [0] for channel system-channel because height is at 1
2020-12-30 12:39:03.788 UTC [orderer.common.cluster] PullChannel -> INFO 023 Pulling channel system-channel
2020-12-30 12:39:03.793 UTC [core.comm] ServerHandshake -> ERRO 024 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=172.21.0.8:59906
2020-12-30 12:39:04.797 UTC [core.comm] ServerHandshake -> ERRO 025 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=172.21.0.8:59908
2020-12-30 12:39:06.430 UTC [core.comm] ServerHandshake -> ERRO 026 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=172.21.0.8:59910
2020-12-30 12:39:08.952 UTC [core.comm] ServerHandshake -> ERRO 027 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=172.21.0.8:59912
2020-12-30 12:39:10.790 UTC [orderer.common.cluster.replication] probeEndpoint -> WARN 028 Failed connecting to {"CAs":[{"Expired":false,"Issuer":"self","Subject":"CN=tlsca.ssc-hhm.com,O=ssc-hhm.com,L=San Francisco,ST=California,C=US"}],"Endpoint":"orderer.ssc-hhm.com:7050"}: failed to create new connection: context deadline exceeded channel=system-channel
2020-12-30 12:39:10.790 UTC [orderer.common.cluster.replication] func1 -> WARN 029 Received error of type 'failed to create new connection: context deadline exceeded' from {"CAs":[{"Expired":false,"Issuer":"self","Subject":"CN=tlsca.ssc-hhm.com,O=ssc-hhm.com,L=San Francisco,ST=California,C=US"}],"Endpoint":"orderer.ssc-hhm.com:7050"} channel=system-channel
2020-12-30 12:39:10.790 UTC [orderer.common.cluster.replication] HeightsByEndpoints -> INFO 02a Returning the heights of OSNs mapped by endpoints map[] channel=system-channel
2020-12-30 12:39:10.790 UTC [orderer.common.cluster] ReplicateChains -> PANI 02b Failed pulling system channel: failed obtaining the latest block for channel system-channel
panic: Failed pulling system channel: failed obtaining the latest block for channel system-channel
goroutine 28 [running]:
go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc000151340, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:230 +0x545
go.uber.org/zap.(*SugaredLogger).log(0xc000209240, 0xc00044b304, 0x101fc6d, 0x21, 0xc0000f9c40, 0x1, 0x1, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0x100
go.uber.org/zap.(*SugaredLogger).Panicf(...)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159
github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(...)
/go/src/github.com/hyperledger/fabric/common/flogging/zap.go:74
github.com/hyperledger/fabric/orderer/common/cluster.(*Replicator).ReplicateChains(0xc0003dfe00, 0xc00054e340, 0xc0002c0200, 0xc0003dfe00)
/go/src/github.com/hyperledger/fabric/orderer/common/cluster/replication.go:166 +0x49d
github.com/hyperledger/fabric/orderer/common/onboarding.(*ReplicationInitiator).ReplicateChains(0xc00027e400, 0xc00054e340, 0xc0002c0000, 0x1, 0x1, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:185 +0x1e3
github.com/hyperledger/fabric/orderer/common/onboarding.(*InactiveChainReplicator).replicateDisabledChains(0xc000207920)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:312 +0x225
github.com/hyperledger/fabric/orderer/common/onboarding.(*InactiveChainReplicator).Run(0xc000207920)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:290 +0x42
created by github.com/hyperledger/fabric/orderer/common/server.initializeEtcdraftConsenter
/go/src/github.com/hyperledger/fabric/orderer/common/server/main.go:777 +0x218
I am very much new to Fabric. I am trying to make a network for SupplyChain with 3 orgs : Manufacturer, Supplier and Retailer. If anyone could guide me here, their help would be greatly appreciated.
I am using Hyperledger Fabric 2.0 on Ubuntu 18.04.
With help of #myeongkil kim I was able to solve this issue. The solution was I just had to remove all the docker volumes by docker volume prune and after this, bringing the network back up solves this problem.
The prob comes from a bad TLS certificate used by the new ordered. Check the log of other ordereres and you would get some hints about this.
Related
My log error This is..
Anything more if needed then please comment below. I think this is the issue i am getting for expiration time. But i want to know how to solve this type of issue if get in future. How to basically solve this issue. can i create jwt token everytime after time expiration?
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.2.2.RELEASE)
2020-05-16 21:29:23.574 INFO 5924 --- [ main] .j.a.SpringSecurityJwtExampleApplication : Starting SpringSecurityJwtExampleApplication on S-PC with PID 5924 (D:\eclipse-workspace\spring-security-jwt-example-master\target\classes started by S in D:\eclipse-workspace\spring-security-jwt-example-master)
2020-05-16 21:29:23.592 INFO 5924 --- [ main] .j.a.SpringSecurityJwtExampleApplication : No active profile set, falling back to default profiles: default
2020-05-16 21:29:25.301 INFO 5924 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode.
2020-05-16 21:29:25.461 INFO 5924 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 140ms. Found 1 JPA repository interfaces.
2020-05-16 21:29:26.478 INFO 5924 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration' of type [org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2020-05-16 21:29:27.421 INFO 5924 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 9002 (http)
2020-05-16 21:29:27.440 INFO 5924 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2020-05-16 21:29:27.441 INFO 5924 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.29]
2020-05-16 21:29:27.721 INFO 5924 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2020-05-16 21:29:27.721 INFO 5924 --- [ main] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 4002 ms
2020-05-16 21:29:28.065 INFO 5924 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting...
2020-05-16 21:29:28.071 WARN 5924 --- [ main] com.zaxxer.hikari.util.DriverDataSource : Registered driver with driverClassName=com.mysql.jdbc.Driver was not found, trying direct instantiation.
Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary.
2020-05-16 21:29:29.294 INFO 5924 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Start completed.
2020-05-16 21:29:29.438 INFO 5924 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default]
2020-05-16 21:29:29.596 INFO 5924 --- [ main] org.hibernate.Version : HHH000412: Hibernate Core {5.4.9.Final}
2020-05-16 21:29:29.953 INFO 5924 --- [ main] o.hibernate.annotations.common.Version : HCANN000001: Hibernate Commons Annotations {5.1.0.Final}
2020-05-16 21:29:30.264 INFO 5924 --- [ main] org.hibernate.dialect.Dialect : HHH000400: Using dialect: org.hibernate.dialect.MySQL8Dialect
2020-05-16 21:29:31.640 INFO 5924 --- [ main] o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform]
2020-05-16 21:29:31.689 INFO 5924 --- [ main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
2020-05-16 21:29:32.511 WARN 5924 --- [ main] JpaBaseConfiguration$JpaWebConfiguration : spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning
2020-05-16 21:29:32.959 INFO 5924 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter#47eaf55c, org.springframework.security.web.context.SecurityContextPersistenceFilter#994544, org.springframework.security.web.header.HeaderWriterFilter#1d944fc0, org.springframework.security.web.authentication.logout.LogoutFilter#2c16677c, com.javatechie.jwt.api.filter.JwtFilter#65859b44, org.springframework.security.web.savedrequest.RequestCacheAwareFilter#6f0c45f4, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#3335afcf, org.springframework.security.web.authentication.AnonymousAuthenticationFilter#2c0798bd, org.springframework.security.web.session.SessionManagementFilter#7548e1fb, org.springframework.security.web.access.ExceptionTranslationFilter#30cafd13, org.springframework.security.web.access.intercept.FilterSecurityInterceptor#1f39269d]
2020-05-16 21:29:33.324 INFO 5924 --- [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor'
2020-05-16 21:29:34.331 INFO 5924 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 9002 (http) with context path ''
2020-05-16 21:29:34.335 INFO 5924 --- [ main] .j.a.SpringSecurityJwtExampleApplication : Started SpringSecurityJwtExampleApplication in 12.188 seconds (JVM running for 13.014)
2020-05-16 21:29:40.858 INFO 5924 --- [nio-9002-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2020-05-16 21:29:40.859 INFO 5924 --- [nio-9002-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2020-05-16 21:29:40.880 INFO 5924 --- [nio-9002-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 21 ms
2020-05-16 21:29:41.080 ERROR 5924 --- [nio-9002-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
io.jsonwebtoken.ExpiredJwtException: JWT expired at 2020-05-13T07:50:39Z. Current time: 2020-05-16T21:29:41Z, a difference of 308342064 milliseconds. Allowed clock skew: 0 milliseconds.
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:385) ~[jjwt-0.9.1.jar:0.9.1]
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1]
at com.javatechie.jwt.api.util.JwtUtil.extractAllClaims(JwtUtil.java:32) ~[classes/:na]
at com.javatechie.jwt.api.util.JwtUtil.extractClaim(JwtUtil.java:28) ~[classes/:na]
at com.javatechie.jwt.api.util.JwtUtil.extractUsername(JwtUtil.java:20) ~[classes/:na]
at com.javatechie.jwt.api.filter.JwtFilter.doFilterInternal(JwtFilter.java:38) ~[classes/:na]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.29.jar:9.0.29]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.29.jar:9.0.29]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.29.jar:9.0.29]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) [tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) [tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) [tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1591) [tomcat-embed-core-9.0.29.jar:9.0.29]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.29.jar:9.0.29]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [na:1.8.0_251]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [na:1.8.0_251]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.29.jar:9.0.29]
at java.lang.Thread.run(Unknown Source) [na:1.8.0_251]
This is my JwtUtil class. I have created a time limit of expiration of 10 hours.
package com.sushovan.jwt.security.jwtutil;
//import java.security.Signature;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Service;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
#Service
public class MyJwtUtil {
private String secret = "sushovan";
public <T> T extractClaims(String token, Function<Claims,T> claimResolver) {
final Claims claims = extractAllClaims(token);
return claimResolver.apply(claims);
}
private Claims extractAllClaims(String token) {
return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
}
public String extractUserName(String token) {
return extractClaims(token, Claims::getSubject);
}
public Date extractexpiration(String token) {
return extractClaims(token, Claims::getExpiration);
}
private Boolean isTokenExpired(String token) {
return extractexpiration(token).before(new Date());
}
public String generateToken(String username) {
Map<String,Object> claims = new HashMap<>();
return createToken(claims, username);
}
private String createToken(Map<String, Object> claims, String subject) {
return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10))
.signWith(SignatureAlgorithm.HS256, secret).compact();
}
public Boolean validateToken(String token, UserDetails userDetails) {
final String username = extractUserName(token);
return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
}
}
When I try to start the deployed app, I get this error:
initial_call: {supervisor,kernel,['Argument__1']}
pid: <0.1762.0>
registered_name: []
error_info: {exit,{on_load_function_failed,re2},[{gen_server,init_it,6,[{file,"gen_server.erl"},{line,352}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,247}]}]}
ancestors: [kernel_sup,<0.1738.0>]
messages: []
links: [<0.1739.0>]
dictionary: []
trap_exit: true
status: running
heap_size: 376
stack_size: 27
reductions: 117
2017-06-19 11:51:18 supervisor_report
supervisor: {local,kernel_sup}
errorContext: start_error
reason: {on_load_function_failed,re2}
offender: [{pid,undefined},{id,kernel_safe_sup},{mfargs,{supervisor,start_link,[{local,kernel_safe_sup},kernel,safe]}},{restart_type,permanent},{shutdown,infinity},{child_type,supervisor}]
2017-06-19 11:51:19 crash_report
initial_call: {application_master,init,['Argument__1','Argument__2','Argument__3','Argument__4']}
pid: <0.1737.0>
registered_name: []
error_info: {exit,{{shutdown,{failed_to_start_child,kernel_safe_sup,{on_load_function_failed,re2}}},{kernel,start,[normal,[]]}},[{application_master,init,4,[{file,"application_master.erl"},{line,134}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,247}]}]}
ancestors: [<0.1736.0>]
messages: [{'EXIT',<0.1738.0>,normal}]
links: [<0.1736.0>,<0.1735.0>]
dictionary: []
trap_exit: true
status: running
heap_size: 376
stack_size: 27
reductions: 152
2017-06-19 11:51:19 std_info
application: kernel
exited: {{shutdown,{failed_to_start_child,kernel_safe_sup,{on_load_function_failed,re2}}},{kernel,start,[normal,[]]}}
type: permanent
{"Kernel pid terminated",application_controller,"{application_start_failure,kernel,{{shutdown,{failed_to_start_child,kernel_safe_sup,{on_load_function_failed,re2}}},{kernel,start,[normal,[]]}}}"}
Kernel pid terminated (application_controller) ({application_start_failure,kernel,{{shutdown,{failed_to_start_child,kernel_safe_sup,{on_load_function_failed,re2}}},{kernel,start,[normal,[]]}}})
But I have no idea how to solve this error.. any idea?
Phoenix app start:
def start(_type, _args) do
import Supervisor.Spec, warn: false
children = [
# Start the endpoint when the application starts
supervisor(MyApp.Endpoint, []),
# Start the endpoint for schools
supervisor(MyApp.Schools.Endpoint, []),
# Start the Ecto repository
supervisor(MyApp.Schools.Repo, []),
supervisor(MyApp.Repo, []),
]
opts = [strategy: :one_for_one, name: MyApp.Supervisor]
Supervisor.start_link(children, opts)
end
Okay, I am new to the wide wonders of SSL certificates and authentication so I am probably doing something very very obviously wrong here. But I am trying to setup an NSURLSession to download a file from server proxied through an SSL Gateway. For reasons involved with the solution we are building we want to use a non-standard CA for signing the cert. As a result I have a CACert, server certificate and a server private key. These have been worked into a pkcs12 file which I load to get the identity from the file and I then try to do a security trust evaluation with that cert.
What I get is that if I connect to a server that uses a publicly signed cert then the server trust authentication works just fine and I get the callbacks I am expecting. So I know I've done the delegate hookup correctly.
However with the client certificate challenge on the test URL indicated in the code I get a -9802 error. Which suggests that either the cert is being evaluated properly or I have got something else wrong. Indeed the server tries to move on to ServerTrust and then curls everything up. (But curiously the didBecomeInvalidWithError callback doesn't get called, which I was expecting when everything goes wrong.)
I have turned CFNetworking diagnostics on and the device log ends up looking like this :-
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:2] 15:38:38.524 {
AddCookies Continue: request GET https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001 HTTP/1.1
HTTPProtocol: Task: 14dcc7c0
} [3:2]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:3] 15:38:38.526 {
Protocol Enqueue: request GET https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001 HTTP/1.1
Request: <CFURLRequest 0x14f48f60 [0x38002170]> {url = https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001, cs = 0x0}
Message: GET https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001 HTTP/1.1
Sending: dict [4] {
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Accept: */
}
} [3:3]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:4] 15:38:38.533 {
SocketStream IO Logging
} [3:4]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:5] 15:38:38.544 {
TCP Connection Created
conn: 0x14f53d10 for name 103.20.137.69, port 444
} [3:5]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:6] 15:38:38.548 {
TCP Connection Start
conn: 0x14f53d10
} [3:6]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:7] 15:38:38.610 {
SocketStream TCP Connection Complete
conn: 0x14f53d10
fd: 7
error: 0
} [3:7]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:8] 15:38:38.613 {
{ fd: 7, local 10.47.29.209:53929 => peer 103.20.137.69:444 } RAW-SENT 201
RAW-SENT (7) | > data [ 201 ] bytes {
RAW-SENT (7) | > 00000000: 1603 0300 c401 0000 c003 0358 1168 ae99 ...........X.h..
RAW-SENT (7) | > 00000010: 94f9 5ed2 d848 bb05 c846 5654 71c9 e3c9 ..^..H...FVTq...
RAW-SENT (7) | > 00000020: cd65 210b a324 dacc 75e2 a900 0018 00ff .e!..$..u.......
RAW-SENT (7) | > 00000030: c02c c02b c024 c00a c023 c009 c030 c02f .,.+.$.-.#...0./
RAW-SENT (7) | > 00000040: c028 c027 c013 0100 007f 0000 0012 0010 .(.'............
RAW-SENT (7) | > 00000050: 0000 0d31 3033 2e32 302e 3133 372e 3639 ..-103.20.137.69
RAW-SENT (7) | > 00000060: 000a 0008 0006 0017 0018 0019 000b 0002 .-..............
RAW-SENT (7) | > 00000070: 0100 000d 000e 000c 0501 0401 0201 0503 ...-............
RAW-SENT (7) | > 00000080: 0403 0203 3374 0000 0010 0030 002e 0268 ....3t.....0...h
RAW-SENT (7) | > 00000090: 3205 6832 2d31 3605 6832 2d31 3505 6832 2.h2-16.h2-15.h2
RAW-SENT (7) | > 000000a0: 2d31 3408 7370 6479 2f33 2e31 0673 7064 -14.spdy/3.1.spd
RAW-SENT (7) | > 000000b0: 792f 3308 6874 7470 2f31 2e31 0005 0005 y/3.http/1.1....
RAW-SENT (7) | > 000000c0: 0100 0000 0000 1200 00 .........
RAW-SENT (7) | > }
} [3:8]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:9] 15:38:38.617 {
ioLogger
logStruct: array [4] {
BEGIN SSL RECORD DECODE: SENT
decodeHandshake [0] # 0x14f5d915, version 303, length 196 (0xc4)
ClientHello (1, 0x1), length 192 (0xc0)
END SSL RECORD DECODE: SENT
}
} [3:9]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:10] 15:38:38.718 {
{ fd: 7, local 10.47.29.209:53929 => peer 103.20.137.69:444 } RAW-READ 1368
RAW-READ (7) | < data [ 1368 ] bytes {
RAW-READ (7) | < 00000000: 1603 0305 a002 0000 4d03 0358 1168 b65d ........M..X.h.]
RAW-READ (7) | < 00000010: 4b61 2b40 e5f7 65d5 bbea a3d1 ce5d 113f Ka+#..e......].?
RAW-READ (7) | < 00000020: 86be 2d04 9288 fd34 2a86 d620 5811 68b6 ..-....4*.. X.h.
RAW-READ (7) | < 00000030: 51f5 0beb 192f 0954 9556 c1f8 6d18 1f4b Q..../.T.V..m..K
RAW-READ (7) | < 00000040: 5304 638c a110 b2f6 09ab cff2 c030 0000 S.c..........0..
RAW-READ (7) | < 00000050: 05ff 0100 0100 0b00 042b 0004 2800 0242 .........+..(..B
RAW-READ (7) | < 00000060: 3082 023e 3082 01a7 a003 0201 0202 0821 0..>0..........!
RAW-READ (7) | < 00000070: 92e4 4931 8b9b ad30 0d06 092a 8648 86f7 ..I1...0-..*.H..
RAW-READ (7) | < 00000080: 0d01 0105 0500 3025 3123 3021 0603 5504 -.....0%1#0!..U.
RAW-READ (7) | < 00000090: 030c 1a66 692d 706f 696e 7379 732d 7372 ...fi-poinsys-sr
RAW-READ (7) | < 000000a0: 762d 7465 7374 2d30 3031 2d63 6130 2017 v-test-001-ca0 .
RAW-READ (7) | < 000000b0: 0d30 3830 3332 3631 3335 3035 305a 180f -080326135050Z..
RAW-READ (7) | < 000000c0: 3230 3538 3033 3236 3133 3530 3530 5a30 20580326135050Z0
RAW-READ (7) | < 000000d0: 2d31 2b30 2906 0355 0403 0c22 6669 2d70 -1+0)..U..."fi-p
RAW-READ (7) | < 000000e0: 6f69 6e73 7973 2d73 7276 2d74 6573 7467 oinsys-srv-testg
RAW-READ (7) | < 000000f0: 7731 2d30 3031 2d67 656e 6572 616c 3081 w1-001-general0.
RAW-READ (7) | < 00000100: 9f30 0d06 092a 8648 86f7 0d01 0101 0500 .0-..*.H..-.....
RAW-READ (7) | < 00000110: 0381 8d00 3081 8902 8181 00b4 1d0e 5f53 ....0........._S
RAW-READ (7) | < 00000120: 9179 2d45 80d2 4746 2164 1cac 8613 3e67 .y-E..GF!d....>g
RAW-READ (7) | < 00000130: 628c 2514 0036 e770 ca16 15ed 73da 5997 b.%..6.p....s.Y.
RAW-READ (7) | < 00000140: 2c10 5c5f ce84 4225 5857 20a5 04af 2879 ,.\_..B%XW ...(y
RAW-READ (7) | < 00000150: 661a b7c5 a9db b05c dd47 a996 63ed 58e6 f......\.G..c.X.
RAW-READ (7) | < 00000160: 4d7a 34f4 e4b7 26fb 87c8 a08b 48e9 b504 Mz4...&.....H...
RAW-READ (7) | < 00000170: 4e01 9aa9 aea4 fb02 93b6 0816 0a9b 1054 N...........-..T
RAW-READ (7) | < 00000180: 6d7b 2647 dd66 ade5 e0f4 79f1 3b01 7bbf m{&G.f....y.;.{.
RAW-READ (7) | < 00000190: 044a 6954 6be1 408a ce75 8302 0301 0001 .JiTk.#..u......
RAW-READ (7) | < 000001a0: a36d 306b 3009 0603 551d 1304 0230 0030 .m0k0...U....0.0
RAW-READ (7) | < 000001b0: 5e06 0355 1d1f 0457 3055 3053 a051 a04f ^..U...W0U0S.Q.O
RAW-READ (7) | < 000001c0: 864d 6874 7470 733a 2f2f 706f 696e 7473 .Mhttps://points
RAW-READ (7) | < 000001d0: 736c 7465 7374 3a38 3434 332f 6b6d 732f sltest:8443/kms/
RAW-READ (7) | < 000001e0: 6372 6c2f 6765 7463 726c 2e68 746d 6c3f crl/getcrl.html?
RAW-READ (7) | < 000001f0: 6e61 6d65 3d66 692d 706f 696e 7379 732d name=fi-poinsys-
RAW-READ (7) | < 00000200: 7372 762d 7465 7374 2d30 3031 2d63 6130 srv-test-001-ca0
RAW-READ (7) | < 00000210: 0d06 092a 8648 86f7 0d01 0105 0500 0381 -..*.H..-.......
RAW-READ (7) | < 00000220: 8100 13f7 5f61 4699 d11c 1199 87d6 964a ...._aF........J
RAW-READ (7) | < 00000230: 7e37 4454 94e6 3f8c 063f c560 68f3 4f89 ~7DT..?..?.`h.O.
RAW-READ (7) | < 00000240: 9f53 1521 5cf3 aa47 f57c 007a e54b 1b47 .S.!\..G.|.z.K.G
RAW-READ (7) | < 00000250: 8c98 eaaa 235b 3fcf 819a 3df9 5540 a67b ....#[?...=.U#.{
RAW-READ (7) | < 00000260: 02f1 013a c2c7 a523 a679 438f 58b3 af01 ...:...#.yC.X...
RAW-READ (7) | < 00000270: 8a9e f3fb de96 ac7e 2d38 4216 a794 502e .......~-8B...P.
RAW-READ (7) | < 00000280: 1b7d 9ad5 cf3b 1ebe 745e c976 bb03 90f0 .}...;..t^.v....
RAW-READ (7) | < 00000290: f8a7 4b81 5319 197f 221d 0d5f 504b c69a ..K.S...".-_PK..
RAW-READ (7) | < 000002a0: 10aa 0001 e030 8201 dc30 8201 45a0 0302 .....0...0..E...
RAW-READ (7) | < 000002b0: 0102 0208 6c89 815a 8bf7 15f5 300d 0609 ....l..Z....0-..
RAW-READ (7) | < 000002c0: 2a86 4886 f70d 0101 0505 0030 2531 2330 *.H..-.....0%1#0
RAW-READ (7) | < 000002d0: 2106 0355 0403 0c1a 6669 2d70 6f69 6e73 !..U....fi-poins
RAW-READ (7) | < 000002e0: 7973 2d73 7276 2d74 6573 742d 3030 312d ys-srv-test-001-
RAW-READ (7) | < 000002f0: 6361 3020 170d 3038 3033 3236 3133 3530 ca0 .-0803261350
RAW-READ (7) | < 00000300: 3530 5a18 0f32 3035 3830 3332 3631 3335 50Z..20580326135
RAW-READ (7) | < 00000310: 3035 305a 3025 3123 3021 0603 5504 030c 050Z0%1#0!..U...
RAW-READ (7) | < 00000320: 1a66 692d 706f 696e 7379 732d 7372 762d .fi-poinsys-srv-
RAW-READ (7) | < 00000330: 7465 7374 2d30 3031 2d63 6130 819f 300d test-001-ca0..0-
RAW-READ (7) | < 00000340: 0609 2a86 4886 f70d 0101 0105 0003 818d ..*.H..-........
RAW-READ (7) | < 00000350: 0030 8189 0281 8100 859a a533 e990 210b .0.........3..!.
RAW-READ (7) | < 00000360: 58c1 8b58 984a fd75 337c c021 d374 02d8 X..X.J.u3|.!.t..
RAW-READ (7) | < 00000370: f640 ff05 3efd a51a 9df7 f6eb 1023 52bc .#..>........#R.
RAW-READ (7) | < 00000380: ac59 a650 e4ad 9d1f 02e6 97db c914 a01b .Y.P............
RAW-READ (7) | < 00000390: cd30 4945 8d71 5178 44f8 b4d4 9cba 2b8a .0IE.qQxD.....+.
RAW-READ (7) | < 000003a0: 9077 1d85 9547 9c49 a043 7879 6899 2048 .w...G.I.Cxyh. H
RAW-READ (7) | < 000003b0: 6fa5 d537 0010 0591 9d61 e854 5613 3d1d o..7.....a.TV.=.
RAW-READ (7) | < 000003c0: 4677 5f8a ddb8 8d4d a885 3984 1cd9 7550 Fw_....M..9...uP
RAW-READ (7) | < 000003d0: 96f4 acef 2a9f 7633 0203 0100 01a3 1330 ....*.v3.......0
RAW-READ (7) | < 000003e0: 1130 0f06 0355 1d13 0408 3006 0101 ff02 .0...U....0.....
RAW-READ (7) | < 000003f0: 0101 300d 0609 2a86 4886 f70d 0101 0505 ..0-..*.H..-....
RAW-READ (7) | < 00000400: 0003 8181 007b a0cd 116b a28f b536 67bf .....{...k...6g.
RAW-READ (7) | < 00000410: f87e 7b61 7543 411a 6047 7ca9 e54a 1a36 .~{auCA.`G|..J.6
RAW-READ (7) | < 00000420: e688 cd15 e346 e519 3f46 f900 79a8 e027 .....F..?F..y..'
RAW-READ (7) | < 00000430: 43f9 b963 a0f6 81d0 26c5 f66d 9d88 017d C..c....&..m...}
RAW-READ (7) | < 00000440: 7c99 3168 2cf4 dced 64f8 5624 81d2 6dd2 |.1h,...d.V$..m.
RAW-READ (7) | < 00000450: aaf4 0a0f c21d e196 e557 196c 0686 d698 ..-......W.l....
RAW-READ (7) | < 00000460: 5f6a 2d12 996c 3157 0ba7 ee35 498c db3a _j-..l1W...5I..:
RAW-READ (7) | < 00000470: 2835 34cb b6e5 b941 7fac bf9f cfaa 5b98 (54....A......[.
RAW-READ (7) | < 00000480: d118 ca76 360c 0000 c903 0017 4104 bf45 ...v6.......A..E
RAW-READ (7) | < 00000490: 344f 7916 08d2 fa31 ec81 ac4e 7baf bfe1 4Oy....1...N{...
RAW-READ (7) | < 000004a0: e04e 459d 2043 f3f9 8208 fce6 35ef bc99 .NE. C......5...
RAW-READ (7) | < 000004b0: b606 a4f7 19eb 3c16 7131 ade6 4952 1dc5 ......<.q1..IR..
RAW-READ (7) | < 000004c0: 3b21 3cde ab1d c06f 870e 6580 9489 0501 ;!<....o..e.....
RAW-READ (7) | < 000004d0: 0080 9468 d320 2901 bcb4 07b9 691c c9b2 ...h. ).....i...
RAW-READ (7) | < 000004e0: feae 734a dbb5 a658 a03f 93cb c769 2588 ..sJ...X.?...i%.
RAW-READ (7) | < 000004f0: 5e5d 011c 89bb dc6e 7d72 054e b173 c8f5 ^].....n}r.N.s..
RAW-READ (7) | < 00000500: 90c1 c0db d0ee a59d c69e 8a0f 0195 3d7b ..............={
RAW-READ (7) | < 00000510: c4f1 b067 5cb8 131c a79d ad43 0bc9 1cbd ...g\......C....
RAW-READ (7) | < 00000520: c8f0 4f57 9fbb 4680 3afa 182f af23 bea9 ..OW..F.:../.#..
RAW-READ (7) | < 00000530: 03dd c86d eb5a fae3 c449 a0b2 688e 4b0a ...m.Z...I..h.K-
RAW-READ (7) | < 00000540: 2188 f37b a27e 5fa2 4221 d52c a98b 7e90 !..{.~_.B!.,..~.
RAW-READ (7) | < 00000550: 5d81 0d00 004b 0301 ].-..K..
RAW-READ (7) | < }
} [3:10]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:11] 15:38:38.730 {
{ fd: 7, local 10.47.29.209:53929 => peer 103.20.137.69:444 } RAW-READ 77
RAW-READ (7) | < data [ 77 ] bytes {
RAW-READ (7) | < 00000000: 0240 0016 0603 0601 0503 0501 0403 0401 .#..............
RAW-READ (7) | < 00000010: 0303 0301 0203 0201 0202 002d 002b 3029 ...........-.+0)
RAW-READ (7) | < 00000020: 3127 3025 0603 5504 030c 1e66 692d 706f 1'0%..U....fi-po
RAW-READ (7) | < 00000030: 696e 7379 732d 7465 7374 636c 742d 636d insys-testclt-cm
RAW-READ (7) | < 00000040: 7331 2d30 3031 2d63 610e 0000 00 s1-001-ca....
RAW-READ (7) | < }
} [3:11]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:12] 15:38:38.732 {
ioLogger
logStruct: array [12] {
BEGIN SSL RECORD DECODE: READ
decodeHandshake [0] # 0x15c62025, version 303, length 1440 (0x5a0)
ServerHello (2, 0x2), length 77 (0x4d)
decodeHandshake [1] # 0x15c62076, version 303, length 1440 (0x5a0)
Certificate (11, 0xb), length 1067 (0x42b)
decodeHandshake [2] # 0x15c624a5, version 303, length 1440 (0x5a0)
ServerKeyExchange (12, 0xc), length 201 (0xc9)
decodeHandshake [3] # 0x15c62572, version 303, length 1440 (0x5a0)
CertificateRequest (13, 0xd), length 75 (0x4b)
decodeHandshake [4] # 0x15c625c1, version 303, length 1440 (0x5a0)
ServerHelloDone (14, 0xe), length 0 (0x0)
END SSL RECORD DECODE: READ
}
} [3:12]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:13] 15:38:38.739 {
Client Cert Requested
Distinguished Names: 1
0: << DATA <CFData 0x14def8c0 [0x38002170]>{length = 43, capacity = 43, bytes = 0x30293127302506035504030c1e66692d ... 312d3030312d6361} >>
} [3:13]
Oct 27 15:38:38 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:14] 15:38:38.742 {
Authentication Challenge
Loader: <CFURLRequest 0x14dcb620 [0x38002170]> {url = https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001, cs = 0x0}
Challenge: challenge space https://103.20.137.69:444/, ClientCertificateRequested (Hash c3626e29)
} [3:14]
Oct 27 15:38:38 Philip-Banks-ipod Unknown[791] <Error>:
Oct 27 15:38:43 Philip-Banks-ipod MPEtestApplication[793] <Error>: SecTrustEvaluate [leaf AnchorTrusted]
Oct 27 15:38:44 Philip-Banks-ipod MPEtestApplication[793] <Warning>: Certificates found: 1
Oct 27 15:38:44 Philip-Banks-ipod MPEtestApplication[793] <Error>: SecTrustEvaluate [leaf AnchorTrusted]
Oct 27 15:38:44 Philip-Banks-ipod MPEtestApplication[793] <Warning>: User: (null), certificates (
"<cert(0x160214f0) s: 400-133-738-MOB i: fi-poinsys-testclt-cms1-001-ca>"
) identity:<SecIdentityRef: 0x16020270>
Oct 27 15:38:46 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:15] 15:38:46.070 {
Use Credential
Loader: <CFURLRequest 0x14dcb620 [0x38002170]> {url = https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001, cs = 0x0}
Credential: Name: 400-133-738-MOB, Persistence: permanent
} [3:15]
Oct 27 15:38:46 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:16] 15:38:46.074 {
touchConnection
Loader: <CFURLRequest 0x14dcb620 [0x38002170]> {url = https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001, cs = 0x0}
Timeout Interval: 60.000 seconds
} [3:16]
Oct 27 15:38:46 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:17] 15:38:46.078 {
Peer certificate
Subject Sum: fi-poinsys-srv-testgw1-001-general
Summary: fi-poinsys-srv-test-001-ca
} [3:17]
Oct 27 15:38:46 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:18] 15:38:46.093 {
Authentication Challenge
Loader: <CFURLRequest 0x14dcb620 [0x38002170]> {url = https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001, cs = 0x0}
Challenge: challenge space https://103.20.137.69:444/, ServerTrustEvaluationRequested (Hash c3626e29)
} [3:18]
Oct 27 15:38:47 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:19] 15:38:47.250 {
Use Credential
Loader: <CFURLRequest 0x14dcb620 [0x38002170]> {url = https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001, cs = 0x0}
Credential: null
} [3:19]
Oct 27 15:38:47 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:20] 15:38:47.252 {
touchConnection
Loader: <CFURLRequest 0x14dcb620 [0x38002170]> {url = https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001, cs = 0x0}
Timeout Interval: 60.000 seconds
} [3:20]
Oct 27 15:38:47 Philip-Banks-ipod MPEtestApplication[793] <Error>: SecTrustEvaluate [leaf SSLHostname] [root AnchorTrusted]
Oct 27 15:38:47 Philip-Banks-ipod MPEtestApplication[793] <Warning>: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Oct 27 15:38:47 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:21] 15:38:47.255 {
Response Error
Request: <CFURLRequest 0x14f48f60 [0x38002170]> {url = https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001, cs = 0x0}
Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamPropertySSLClientCertificateState=2, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x14f76660>, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerCertificates=<CFArray 0x160274c0 [0x38002170]>{type = immutable, count = 2, values = (
0 : <cert(0x14f70280) s: fi-poinsys-srv-testgw1-001-general i: fi-poinsys-srv-test-001-ca>
1 : <cert(0x14f70520) s: fi-poinsys-srv-test-001-ca i: fi-poinsys-srv-test-001-ca>
)}, _kCFStreamPropertySSLClientCertificates=<CFArray 0x14f74740 [0x38002170]>{type = mutable-small, count = 2, values = (
0 : <SecIdentityRef: 0x16020270>
1 : <cert(0x160214f0) s: 400-133-738-MOB i: fi-poinsys-testclt-cms1-001-ca>
)}}
} [3:21]
Oct 27 15:38:47 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:22] 15:38:47.258 {
Did Fail
Loader: <CFURLRequest 0x14dcb620 [0x38002170]> {url = https://103.20.137.69:444/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001, cs = 0x0}
Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamPropertySSLClientCertificateState=2, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x14f76660>, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerCertificates=<CFArray 0x160274c0 [0x38002170]>{type = immutable, count = 2, values = (
0 : <cert(0x14f70280) s: fi-poinsys-srv-testgw1-001-general i: fi-poinsys-srv-test-001-ca>
1 : <cert(0x14f70520) s: fi-poinsys-srv-test-001-ca i: fi-poinsys-srv-test-001-ca>
)}, _kCFStreamPropertySSLClientCertificates=<CFArray 0x14f74740 [0x38002170]>{type = mutable-small, count = 2, values = (
0 : <SecIdentityRef: 0x16020270>
1 : <cert(0x160214f0) s: 400-133-738-MOB i: fi-poinsys-testclt-cms1-001-ca>
)}}
init to origin load: 0.011323s
total time: 8.75724s
total bytes: 0
} [3:22]
Oct 27 15:38:47 Philip-Banks-ipod MPEtestApplication[793] <Notice>: CFNetwork Diagnostics [3:23] 15:38:47.275 {
~HTTPProtocol: nullptr request
Request: null
sent: 0
received: 0
cell sent: 0
cell received: 0
} [3:23]
Which seems to be pretty clear that the authentication failed, but not why it failed at. I'd appreciate any useful suggestions here as I am kinda stuck at this point.
This code is being build using XCode 8 building against the 10 SDK and deploying it onto an iOS 9.3.5 device.
Here is the code in question :-
#import "testSSLClass.h"
#interface testSSLClass()<NSURLConnectionDelegate, NSURLSessionDelegate, NSURLSessionDataDelegate> {
NSString* mDownloadURL;
NSURLSessionConfiguration* mDownloadConfiguration;
NSURLSession* mDownloadSession;
NSURLSessionDataTask* mDownloadTask;
NSMutableData* mDataReceived;
}
#end
#implementation testSSLClass
-(instancetype)init
{
if (self = [super init])
{
mDownloadURL = #"https://103.20.137.69:443/downloadfile.aspx?filename=MON___00DADDF5FFFF00&tspid=100581332001";
mDownloadConfiguration = [NSURLSessionConfiguration ephemeralSessionConfiguration];
}
return self;
}
-(void)doADownload
{
mDataReceived = [NSMutableData new];
NSURL* URLtoFetch = [NSURL URLWithString:mDownloadURL];
mDownloadSession = [NSURLSession sessionWithConfiguration:mDownloadConfiguration delegate:self delegateQueue:nil];
mDownloadTask = [mDownloadSession dataTaskWithURL:URLtoFetch];
[mDownloadTask resume];
}
-(void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler
{
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodClientCertificate]) {
[self willSendRequestForAuthenticationChallenge:challenge completionHandler:completionHandler];
} else {
completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
}
}
-(void)URLSession:(NSURLSession *)session dataTask:(NSURLSessionDataTask *)dataTask didReceiveData:(NSData *)data
{
[mDataReceived appendData:data];
}
-(void)URLSession:(NSURLSession *)session dataTask:(NSURLSessionDataTask *)dataTask willCacheResponse:(NSCachedURLResponse *)proposedResponse completionHandler:(void (^)(NSCachedURLResponse * _Nullable))completionHandler
{
[mDataReceived length];
}
-(void)URLSession:(NSURLSession *)session didBecomeInvalidWithError:(NSError *)error
{
NSLog(#"Error: %#", [error userInfo]);
}
-(void)URLSession:(NSURLSession *)session dataTask:(NSURLSessionDataTask *)dataTask didBecomeStreamTask:(NSURLSessionStreamTask *)streamTask
{
NSLog(#"Did Become Stream Task");
}
- (void)willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler
{
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodClientCertificate])
{
NSArray* paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
NSString* directoryPath = [paths objectAtIndex:0];
NSString* cacertPath = [directoryPath stringByAppendingPathComponent:#"client.p12"];
NSData *p12data = [NSData dataWithContentsOfFile:cacertPath];
CFDataRef inP12data = (__bridge CFDataRef)p12data;
SecIdentityRef myIdentity;
SecTrustRef myTrust;
extractIdentityAndTrust(inP12data, &myIdentity, &myTrust);
assert(myIdentity != nil);
assert(myTrust != nil);
long count = SecTrustGetCertificateCount(myTrust);
NSMutableArray* myCertificates = nil;
if(count > 0) {
myCertificates = [NSMutableArray arrayWithCapacity:count];
for(int i = 0; i < count; ++i) {
[myCertificates addObject:(__bridge id)SecTrustGetCertificateAtIndex(myTrust, i)];
}
}
SecTrustResultType trustResult;
OSStatus evalResult = SecTrustEvaluate(myTrust, &trustResult);
if (trustResult == kSecTrustResultRecoverableTrustFailure)
{
CFDataRef errDataRef = SecTrustCopyExceptions(myTrust);
SecTrustSetExceptions(myTrust, errDataRef);
evalResult = SecTrustEvaluate(myTrust, &trustResult);
}
NSURLCredential *credential = [NSURLCredential credentialWithIdentity:myIdentity certificates:myCertificates persistence:NSURLCredentialPersistencePermanent];
assert(credential != nil);
NSLog(#"User: %#, certificates %# identity:%#", [credential user], [credential certificates], [credential identity]);
[[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
completionHandler(NSURLSessionAuthChallengeUseCredential,credential);
} else {
completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
}
}
OSStatus extractIdentityAndTrust(CFDataRef inP12data, SecIdentityRef *identity, SecTrustRef *trust)
{
OSStatus securityError = errSecSuccess;
CFStringRef password = CFSTR("password");
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
securityError = SecPKCS12Import(inP12data, options, &items);
if (securityError == 0) {
CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex(items, 0);
const void *tempIdentity = NULL;
tempIdentity = CFDictionaryGetValue(myIdentityAndTrust, kSecImportItemIdentity);
*identity = (SecIdentityRef)tempIdentity;
const void *tempTrust = NULL;
tempTrust = CFDictionaryGetValue(myIdentityAndTrust, kSecImportItemTrust);
*trust = (SecTrustRef)tempTrust;
CFIndex count = CFArrayGetCount(items);
NSLog(#"Certificates found: %ld",count);
}
if (options) {
CFRelease(options);
}
return securityError;
}
#end
Any suggestions, tips or advice gratefully accepted.
Philip
Okay, after some back and forth with a helpful Apple employee and banging a few heads locally to do certs in a sensible way this is the solution I ended up with :-
#import "testSSLClass.h"
#interface testSSLClass()<NSURLConnectionDelegate, NSURLSessionDelegate, NSURLSessionDataDelegate> {
NSString* mDownloadURL;
NSURLSessionConfiguration* mDownloadConfiguration;
NSURLSession* mDownloadSession;
NSURLSessionDataTask* mDownloadTask;
NSMutableData* mDataReceived;
}
#end
#implementation testSSLClass
-(instancetype)init
{
if (self = [super init])
{
mDownloadURL = #"https://your.server.url";
mDownloadConfiguration = [NSURLSessionConfiguration ephemeralSessionConfiguration];
}
return self;
}
-(void)doADownload
{
mDataReceived = [NSMutableData new];
NSURL* URLtoFetch = [NSURL URLWithString:mDownloadURL];
mDownloadSession = [NSURLSession sessionWithConfiguration:mDownloadConfiguration delegate:self delegateQueue:nil];
mDownloadTask = [mDownloadSession dataTaskWithURL:URLtoFetch];
[mDownloadTask resume];
}
-(void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler
{
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodClientCertificate]) {
[self willSendRequestForAuthenticationChallenge:challenge completionHandler:completionHandler];
} else {
completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
}
}
-(void)URLSession:(NSURLSession *)session dataTask:(NSURLSessionDataTask *)dataTask didReceiveData:(NSData *)data
{
NSLog(#"Appending data: %lu bytes", (unsigned long)[data length]);
[mDataReceived appendData:data];
}
-(void)URLSession:(NSURLSession *)session dataTask:(NSURLSessionDataTask *)dataTask willCacheResponse:(NSCachedURLResponse *)proposedResponse completionHandler:(void (^)(NSCachedURLResponse * _Nullable))completionHandler
{
// We got the data.
NSLog(#"Download finished: %lu bytes", (unsigned long)[mDataReceived length]);
completionHandler(NULL);
}
-(void)URLSession:(NSURLSession *)session didBecomeInvalidWithError:(NSError *)error
{
NSLog(#"Error: %#", [error userInfo]);
}
-(void)URLSession:(NSURLSession *)session dataTask:(NSURLSessionDataTask *)dataTask didBecomeStreamTask:(NSURLSessionStreamTask *)streamTask
{
NSLog(#"Did Become Stream Task");
}
- (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didCompleteWithError:(NSError *)error
{
NSLog(#"Download finished: %lu bytes", (unsigned long)[mDataReceived length]);
if (error) {
NSLog(#"Error: %#", [error userInfo]);
}
}
#pragma NSURLConnection delegate
-(void)connection:(NSURLConnection *)connection didFailWithError:(NSError *)error
{
NSLog(#"Error: %#", [error userInfo]);
}
- (void)willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler
{
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodClientCertificate])
{
NSArray* paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
NSString* directoryPath = [paths objectAtIndex:0];
NSString* cacertPath = [directoryPath stringByAppendingString:#"/client.p12"];
NSData *p12data = [NSData dataWithContentsOfFile:cacertPath];
CFDataRef inP12data = (__bridge CFDataRef)p12data;
SecIdentityRef myIdentity = nil;
extractIdentity(inP12data, &myIdentity);
assert(myIdentity != nil);
NSURLCredential* credential = [NSURLCredential credentialWithIdentity:myIdentity certificates:nil persistence:NSURLCredentialPersistenceNone];
assert(credential != nil);
NSLog(#"User: %#, certificates %# identity:%#", [credential user], [credential certificates], [credential identity]);
[[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
completionHandler(NSURLSessionAuthChallengeUseCredential,credential);
} else {
completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
}
}
OSStatus extractIdentity(CFDataRef inP12data, SecIdentityRef *identity)
{
OSStatus securityError = errSecSuccess;
CFStringRef password = CFSTR("password");
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
securityError = SecPKCS12Import(inP12data, options, &items);
if (securityError == errSecSuccess) {
CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex(items, 0);
const void *tempIdentity = NULL;
tempIdentity = CFDictionaryGetValue(myIdentityAndTrust, kSecImportItemIdentity);
*identity = (SecIdentityRef)tempIdentity;
CFIndex count = CFArrayGetCount(items);
NSLog(#"Certificates found: %ld",count);
}
if (options) {
CFRelease(options);
}
return securityError;
}
#end
We use a locally downloaded pkcs12 format file which has the private key and the cert to establish an indentity. The cert is now being signed by a public CA which means iOS is all happy and things now work nicely. Hopefully this is useful for someone else banging their head a bit.
I'm developing a video chat application with quickblox. And I have a trouble with performing video call. There are logs of two instances of application started in one time:
Sep 11 16:43:40 iPod-touch DimChat[3823] <Warning>: QBChat/didConnect
Sep 11 16:43:40 iPod-touch DimChat[3823] <Warning>: -[QBChat xmppStreamDidAuthenticate:] -> user: 290427, supportsStartTLS: 1, isSecure: 0
Sep 11 16:43:40 iPod-touch DimChat[3823] <Warning>: -[QBChat xmppStream:didSendPresence:] -> Presence: <presence/>
Sep 11 16:43:40 iPod-touch DimChat[3823] <Warning>: -[QBChat xmppStream:didSendIQ:] -> IQ: <iq type="get" id="561006823"><query xmlns="jabber:iq:roster"/></iq>
Sep 11 16:43:41 iPod-touch DimChat[3823] <Warning>: -[QBChat xmppStream:didReceiveIQ:] -> <iq xmlns="jabber:client" id="561006823" type="result" to="290427-3936#chat.quickblox.com/tigase-3171"><query xmlns="jabber:iq:roster"/></iq>
Sep 11 16:44:00 iPod-touch DimChat[3823] <Warning>: -[QBChat xmppStream:didSendPresence:] -> Presence: <presence/>
Sep 11 16:44:18 iPod-touch wifid[14] <Error>: WiFi:[400596258.779212]: Disable WoW requested by "UserEventAgent"
Sep 11 16:44:18 iPod-touch DimChat[3823] <Warning>: QBChat/didDisconnect, error: Error Domain=GCDAsyncSocketErrorDomain Code=7 "Socket closed by remote peer" UserInfo=0x1ed273e0 {NSLocalizedDescription=Socket closed by remote peer}
Sep 11 16:44:20 iPod-touch DimChat[3823] <Warning>: -[QBChat sendPresence] -> return. You have to be logged in in order to use Chat API
The second instance which calls the first one:
2013-09-11 16:43:46.408 DimChat[55216:b10f] QBChat/didConnect
2013-09-11 16:43:47.053 DimChat[55216:a207] -[QBChat xmppStreamDidAuthenticate:] -> user: 503867, supportsStartTLS: 1, isSecure: 0
2013-09-11 16:43:47.053 DimChat[55216:a207] -[QBChat xmppStream:didSendIQ:] -> IQ: <iq type="get" id="561006823"><query xmlns="jabber:iq:roster"/></iq>
2013-09-11 16:43:47.053 DimChat[55216:a207] -[QBChat xmppStream:didSendPresence:] -> Presence: <presence/>
2013-09-11 16:43:47.215 DimChat[55216:b10f] -[QBChat xmppStream:didReceiveIQ:] -> <iq xmlns="jabber:client" id="561006823" type="result" to="503867-3936#chat.quickblox.com/tigase-3170"><query xmlns="jabber:iq:roster"/></iq>
2013-09-11 16:43:56.295 DimChat[55216:b10f] -[QBVideoChat init] ->
2013-09-11 16:43:56.295 DimChat[55216:b10f] -[QBVideoChat orientatioDidChange:] -> LandscapeLeft
2013-09-11 16:43:56.296 DimChat[55216:b10f] -[QBVideoChat callUser:conferenceType:customParameters:] -> VideoChat configuration: {
kQBVideoChatBadConnectionTimeout = 5;
kQBVideoChatCallTimeout = 15;
kQBVideoChatFrameQualityPreset = AVCaptureSessionPresetLow;
kQBVideoChatP2PTimeout = "1.5";
kQBVideoChatTURNServerEndPoint = "turnserver.quickblox.com";
kQBVideoChatVideoFramesPerSecond = 10;
kQBVideoChatWriteQueueMaxAudioOperationsThreshold = 25;
kQBVideoChatWriteQueueMaxVideoOperationsThreshold = 25;
}
2013-09-11 16:43:56.296 DimChat[55216:b10f] -[QBChat xmppStream:didSendMessage:] -> Message: <message id="282475249" type="qbvideochat_call" to="290427-3936#chat.quickblox.com" from="503867-3936#chat.quickblox.com"><body>1</body></message>
2013-09-11 16:43:58.297 DimChat[55216:b10f] -[QBChat xmppStream:didSendMessage:] -> Message: <message id="1622650073" type="qbvideochat_call" to="290427-3936#chat.quickblox.com" from="503867-3936#chat.quickblox.com"><body>1</body></message>
2013-09-11 16:44:00.298 DimChat[55216:b10f] -[QBChat xmppStream:didSendMessage:] -> Message: <message id="984943658" type="qbvideochat_call" to="290427-3936#chat.quickblox.com" from="503867-3936#chat.quickblox.com"><body>1</body></message>
2013-09-11 16:44:02.300 DimChat[55216:b10f] -[QBChat xmppStream:didSendMessage:] -> Message: <message id="1144108930" type="qbvideochat_call" to="290427-3936#chat.quickblox.com" from="503867-3936#chat.quickblox.com"><body>1</body></message>
2013-09-11 16:44:04.300 DimChat[55216:b10f] -[QBChat xmppStream:didSendMessage:] -> Message: <message id="470211272" type="qbvideochat_call" to="290427-3936#chat.quickblox.com" from="503867-3936#chat.quickblox.com"><body>1</body></message>
2013-09-11 16:44:06.302 DimChat[55216:b10f] -[QBChat xmppStream:didSendMessage:] -> Message: <message id="101027544" type="qbvideochat_call" to="290427-3936#chat.quickblox.com" from="503867-3936#chat.quickblox.com"><body>1</body></message>
2013-09-11 16:44:07.065 DimChat[55216:b10f] -[QBChat xmppStream:didSendPresence:] -> Presence: <presence/>
2013-09-11 16:44:08.303 DimChat[55216:b10f] -[QBChat xmppStream:didSendMessage:] -> Message: <message id="1457850878" type="qbvideochat_call" to="290427-3936#chat.quickblox.com" from="503867-3936#chat.quickblox.com"><body>1</body></message>
2013-09-11 16:44:10.303 DimChat[55216:b10f] -[QBChat xmppStream:didSendMessage:] -> Message: <message id="1458777923" type="qbvideochat_call" to="290427-3936#chat.quickblox.com" from="503867-3936#chat.quickblox.com"><body>1</body></message>
2013-09-11 16:44:11.304 DimChat[55216:b10f] -[QBVideoChat finishCallWithStatus:customParameters:] -> kStopVideoChatCallStatus_OpponentDidNotAnswer
2013-09-11 16:44:11.305 DimChat[55216:b10f] -[QBVideoChat deinitialization] ->
2013-09-11 16:44:11.305 DimChat[55216:b10f] -[QBVideoChat releaseVideoCapture] ->
2013-09-11 16:44:11.306 DimChat[55216:b10f] -[QBVideoChat releaseAudioCapture] ->
2013-09-11 16:44:11.306 DimChat[55216:b10f] -[QBVideoChat releaseSocketConnection] ->
2013-09-11 16:44:11.306 DimChat[55216:b10f] -[QBChat xmppStream:didSendMessage:] -> Message: <message id="2007237709" type="qbvideochat_stopCall" to="290427-3936#chat.quickblox.com" from="503867-3936#chat.quickblox.com"><body>kStopVideoChatCallStatus_OpponentDidNotAnswer</body></message>
2013-09-11 16:44:25.264 DimChat[55216:b10f] QBChat/didDisconnect, error: Error Domain=GCDAsyncSocketErrorDomain Code=7 "Socket closed by remote peer" UserInfo=0x9ca1260 {NSLocalizedDescription=Socket closed by remote peer}
2013-09-11 16:44:27.074 DimChat[55216:b10f] -[QBChat sendPresence] -> return. You have to be logged in in order to use Chat API
Actually the problem is that the first instance didn't receive incoming call.
I checked the video chat example from quickblox's github. It works with my users/passwords, so I have a mistake in my code, but I really don't know where I should search it.
As you can see both instances have the same problem: "Socket closed by remote peer". But this problem happens after call timeout, so it isn't a cause of main problem.
Finally I've found the solution. The problem was in QBVideoChat object. I thought that QBChat will send me the signal when another user calls me and then I'll create the QBVideoChat object and present it's view on screen.
The sad truth is that QBChat don't send any video relations signals before I create QBVideoChat. So I have to create it at program's start in order to receive chatDidReceiveCallRequestFromUser signal.
after deploying, i get the error below after loggingin.
Sf 1.3, sfDoctrineGuardPlugin. And i have this schema.yml in config/doctrine:
Usuario:
inheritance:
extends: sfGuardUser
type: simple
columns:
username:
type: string(128)
notnull: false
unique: true
nombre_apellidos: string(60)
sexo: string(5)
fecha_nac: date
provincia: string(60)
localidad: string(255)
email_address: string(255)
fotografia: string(255)
avatar: string(255)
avatar_mensajes: string(255)
relations:
Usuario:
local: user1_id
foreign: user2_id
refClass: AmigoUsuario
equal: true
500 | Internal Server Error | Doctrine_Record_UnknownPropertyException Unknown record property / related component "algorithm" on "sfGuardUser" stack trace
* at ()
in SF_ROOT_DIR/lib/vendor/symfony/lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine/Doctrine/Record/Filter/Standard.php line 55 ...
52. */
53. public function filterGet(Doctrine_Record $record, $name)
54. {
55. throw new Doctrine_Record_UnknownPropertyException(sprintf('Unknown record property / related component "%s" on "%s"', $name, get_class($record)));
56. }
57. }
* at Doctrine_Record_Filter_Standard->filterGet(object('sfGuardUser'), 'algorithm')
in SF_ROOT_DIR/lib/vendor/symfony/lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine/Doctrine/Record.php line 1382 ...
1379. $success = false;
1380. foreach ($this->_table->getFilters() as $filter) {
1381. try {
1382. $value = $filter->filterGet($this, $fieldName);
1383. $success = true;
1384. } catch (Doctrine_Exception $e) {}
1385. }
* at Doctrine_Record->_get('algorithm', 1)
in SF_ROOT_DIR/lib/vendor/symfony/lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine/Doctrine/Record.php line 1337 ...
1334. return $this->$accessor($load);
1335. }
1336. }
1337. return $this->_get($fieldName, $load);
1338. }
1339.
1340. protected function _get($fieldName, $load = true)
* at Doctrine_Record->get('algorithm')
in SF_ROOT_DIR/lib/vendor/symfony/lib/plugins/sfDoctrinePlugin/lib/record/sfDoctrineRecord.class.php line 212 ...
209. return call_user_func_array(
210. array($this, $verb),
211. array_merge(array($entityName), $arguments)
212. );
213. } else {
214. $failed = true;
215. }
* at sfDoctrineRecord->__call(array(object('sfGuardUser'), 'get'), array('algorithm'))
in n/a line n/a ...
* at sfGuardUser->getAlgorithm('getAlgorithm', array())
in SF_ROOT_DIR/plugins/sfDoctrineGuardPlugin/lib/model/doctrine/PluginsfGuardUser.class.php line 96 ...
93. */
94. public function checkPasswordByGuard($password)
95. {
96. $algorithm = $this->getAlgorithm();
97. if (false !== $pos = strpos($algorithm, '::'))
98. {
99. $algorithm = array(substr($algorithm, 0, $pos), substr($algorithm, $pos + 2));
* at PluginsfGuardUser->checkPasswordByGuard()
in SF_ROOT_DIR/plugins/sfDoctrineGuardPlugin/lib/model/doctrine/PluginsfGuardUser.class.php line 83 ...
80. }
81. else
82. {
83. return $this->checkPasswordByGuard($password);
84. }
85. }
86.
* at PluginsfGuardUser->checkPassword('m')
in SF_ROOT_DIR/lib/sfGuardValidatorUserByEmail.class.php line 28 ...
25. {
26. // password is ok?
27.
28. if ($user->checkPassword($password))
29. {
30.
31. //die("entro");
* at sfGuardValidatorUserByEmail->doClean('m')
Here you have also my frontend_dev.log
Apr 15 07:15:23 symfony [info]
{sfPatternRouting} Connect sfRoute
"sf_guard_signin" (/login) Apr 15
07:15:23 symfony [info]
{sfPatternRouting} Connect sfRoute
"sf_guard_signout" (/logout) Apr 15
07:15:23 symfony [info]
{sfPatternRouting} Connect sfRoute
"sf_guard_password"
(/request_password) Apr 15 07:15:23
symfony [info] {sfPatternRouting}
Match route "sf_guard_signin" (/login)
for /login with parameters array (
'module' => 'sfGuardAuth', 'action'
=> 'signin',) abr 15 07:15:23 symfony [info] {sfFilterChain} Executing
filter "sfRenderingFilter" abr 15
07:15:23 symfony [info]
{sfFilterChain} Executing filter
"sfCommonFilter" abr 15 07:15:23
symfony [info] {sfFilterChain}
Executing filter "sfExecutionFilter"
abr 15 07:15:23 symfony [info]
{sfGuardAuthActions} Call
"sfGuardAuthActions->executeSignin()"
abr 15 07:15:23 symfony [info]
{Doctrine_Connection_Mysql} exec : SET
NAMES 'UTF8' - () abr 15 07:15:23
symfony [info]
{Doctrine_Connection_Statement}
execute : SELECT s.id AS s__id,
s.username AS s__username,
s.nombre_apellidos AS
s__nombre_apellidos, s.sexo AS
s__sexo, s.fecha_nac AS s__fecha_nac,
s.provincia AS s__provincia,
s.localidad AS s__localidad,
s.email_address AS s__email_address,
s.fotografia AS s__fotografia,
s.avatar AS s__avatar,
s.avatar_mensajes AS
s__avatar_mensajes FROM sf_guard_user
s WHERE (s.email_address = ?) LIMIT 1
- (f#m.com) abr 15 07:15:23 symfony [err]
{Doctrine_Record_UnknownPropertyException}
Unknown record property / related
component "algorithm" on "sfGuardUser"
abr 15 07:15:23 symfony [info]
{sfWebResponse} Send status "HTTP/1.1
500 Internal Server Error" abr 15
07:15:23 symfony [info]
{sfWebResponse} Send header
"Content-Type: text/html;
charset=utf-8" abr 15 07:15:23 symfony
[info] {sfWebDebugLogger}
Configuration 16.42 ms (8) abr 15
07:15:23 symfony [info]
{sfWebDebugLogger} Factories 123.17 ms
(1) abr 15 07:15:23 symfony [info]
{sfWebDebugLogger} Action
"sfGuardAuth/signin" 211.86 ms (1) abr
15 07:15:23 symfony [info]
{sfWebDebugLogger} Database (Doctrine)
0.01 ms (2)
Any idea?
Javi
If you change the field names, the entire plugin will break. You will need to rollback those changes, or rewrite every call of $user->getId(), $user->getUsername(), etc