I am developing a web service and iOS app that hits the web service on my local machine. At first, I disabled the cleartext errors for interacting with the service, but now I would like to use https so that my development, test, and prod environments are as similar as possible.
I installed my self-signed cert locally, so going to the site directly is using https just fine:
I have followed the instructions to install a cert in the iPhone simulator:
However, when I hit the web service on my local machine that uses this cert, I still get these error in the console:
2020-10-17 09:59:10.891496-0500 cttios[45481:2146304] [] nw_protocol_get_quic_image_block_invoke dlopen libquic failed
2020-10-17 09:59:10.899475-0500 cttios[45481:2146304] ATS failed system trust
2020-10-17 09:59:10.899583-0500 cttios[45481:2146304] Connection 1: system TLS Trust evaluation failed(-9802)
2020-10-17 09:59:10.899744-0500 cttios[45481:2146304] Connection 1: TLS Trust encountered error 3:-9802
2020-10-17 09:59:10.900077-0500 cttios[45481:2146304] Connection 1: encountered error(3:-9802)
2020-10-17 09:59:10.901405-0500 cttios[45481:2146304] Task <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802])
2020-10-17 09:59:10.904343-0500 cttios[45481:2146304] Task <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
"<cert(0x7ff4ce854600) s: cttweb.test i: Homestead homestead Root CA>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://cttweb.test/api/v1/login, NSErrorFailingURLStringKey=https://cttweb.test/api/v1/login, NSUnderlyingError=0x600001123ab0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600002d55cb0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x7ff4ce854600) s: cttweb.test i: Homestead homestead Root CA>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600002d55cb0>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
Login api error: An SSL error has occurred and a secure connection to the server cannot be made.
Optional(["task": ["Login api error: An SSL error has occurred and a secure connection to the server cannot be made."]])
I have tried restarting the simulator after installing the cert, same result. What am I doing wrong?
It looks like I may not be trusting the cert even after installing it, but I can't find a way to trust it.
The problem is that I had the website cert installed, but not the CA cert generated for my local web server installed. That was as easy as dragging the CA root cert into Safari on the simulator.
Related
I have integrated Firebase Crashlytics in my iOS project. App is detected in the Firebase console. But test crash is not tracked in the console.
I followed the step provided by Firebase.
https://firebase.google.com/docs/crashlytics/get-started?authuser=3&platform=ios
While debugging, I can see some certificate issue for firebase server.
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “firebaselogging-pa.googleapis.com” which could put your confidential information at risk."
It also shows
[Firebase/Crashlytics][I-CLS000000] Completed report submission with id
I also enabled
<key>NSAllowsArbitraryLoads</key>
<false/>
Log
2022-06-05 09:06:29.208678+0530 FirebaseSample[56522:591822] 8.9.1 - [Firebase/Crashlytics][I-CLS000000] [Firebase/Crashlytics] Packaged report with id '-----' for submission
2022-06-05 09:06:29.209774+0530 FirebaseSample[56522:591822] 8.9.1 - [Firebase/Crashlytics][I-CLS000000] Completed report submission with id:-----
2022-06-05 09:06:29.426952+0530 FirebaseSample[56522:591824] Task <01C587F9-CDDF-42C8-BB9C-9331D85C9BAF>.<1> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “firebaselogging-pa.googleapis.com” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://firebaselogging-pa.googleapis.com/v1/firelog/legacy/batchlog, NSErrorFailingURLStringKey=https://firebaselogging-pa.googleapis.com/v1/firelog/legacy/batchlog, NSUnderlyingError=0x600002bac6f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x6000015b03c0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, kCFStreamPropertySSLPeerCertificates=(
), _kCFStreamErrorCodeKey=-9813, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <01C587F9-CDDF-42C8-BB9C-9331D85C9BAF>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x6000015b03c0>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “firebaselogging-pa.googleapis.com” which could put your confidential information at risk.}
I'm currently developing a React-Native app (first for IOS) and I have to do an API request on a FHIR connector (medical standard). This API uses a TLS certificate generated by the PKI of my state that is by default not trusted by IOS. I added manually the root certificate G1, the second certificate G2, and the certificate of the API URL.
After it, I trusted the Root certificate using this explanation of the apple support : https://support.apple.com/en-us/HT204477
From now I thought that it was ready to be used and I checked with Chrome and now I have the following error: NET::ERR_CERT_VALIDITY_TOO_LONG
I don't have access to the PKI so I can't generate a certificate with a lowest validity time. After some research I found this :
https://support.apple.com/en-us/HT210176
That explains the requirements of certificate TLS to be validated by the OS. I thought that there is no solution except generate a new certificate but I found this :
https://support.apple.com/en-us/HT211025
That explains that the certificate installed manually by a user doesn't have to respect the validity of 398 days.
I'm a bit confuse ...
My certificate validity time is 10 years.
My application React-native work fine with http, but i have the following error with https :
[connection] nw_socket_handle_socket_event [C7:1] Socket SO_ERROR [61: Connection refused]
[connection] nw_connection_get_connected_socket [C7] Client called nw_connection_get_connected_socket on unconnected nw_connection
TCP Conn 0x2835e42c0 Failed : error 0:61 [61]
[native] [GESTURE HANDLER] Initialize gesture handler for root view <RCTRootContentView: 0x106d05890; reactTag: 11; frame = (0 0; 834 1194); gestureRecognizers = <NSArray: 0x280c16640>; layer = <CALayer: 0x280303060>>
Connection 12: default TLS Trust evaluation failed(-9807)
Connection 12: TLS Trust encountered error 3:-9807
Connection 12: encountered error(3:-9807)
Connection 12: unable to determine interface type without an established connection
Task <344A51D7-3F78-47DF-94E4-4A70D6B4E026>.<4> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9807])
Task <344A51D7-3F78-47DF-94E4-4A70D6B4E026>.<4> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<API URL REQUEST>” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
"<cert(0x104814000) s: <API URL CERTIF> i: <CERTIF G2>>",
"<cert(0x104811000) s: <CERTIF G2> i: <CERTIF ROOT G1>>",
"<cert(0x10488d000) s: <CERTIF ROOT G1> i: <CERTIF ROOT G1>>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=<API URL>, NSErrorFailingURLStringKey=<API UTL>, NSUnderlyingError=0x280c36310 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x2830f7330>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x104814000) s: <API URL CERTIF> i: <CERTIF G1>>",
"<cert(0x104811000) s: <CERTIF G2> i: <CERTIF G1>",
"<cert(0x10488d000) s: <CERTIF G1> i: <CERTIF G1>"
)}},
The question is : Am i doing something wrong or is there any way to use this certificate (10 years validity time) for my application ?
Thank you for helping me
If you are using a self signed cert, you have to enable your IOS device to trust it:
For this, open again the iOS Settings app. Then navigate to “General” > “About” > “Certificate Trust Settings”. In the section “Enable Full Trust for Root Certificates”, enable your root certificate. With this, your app can connect now with the self-signed certificate to the backend.
I finally had access to the PKI to generate a TLS certificate with a shorter validity time and this solved my problem. Now the certificate is accepted by IOS.
I strongly think that there is no other solutions.
I am using IOS 13.3 and my application stop suddenly after 6 month.
I have checked my certificate and found no issue in certificate.
i am getting the following error.
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9816)
2020-04-17 01:38:14.778140+0530 Example[38000:704335] Task <71350D43-9801-46F2-9F9E-333AF09964CE>.<1> HTTP load failed (error code: -1200 [3:-9816])
2020-04-17 01:38:14.779009+0530 Example[38000:704332] Task <71350D43-9801-46F2-9F9E-333AF09964CE>.<1> finished with error - code: -1200
2020-04-17 01:38:14.782985+0530 Example[38000:704332] Task <71350D43-9801-46F2-9F9E-333AF09964CE>.<1> load failed with error Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://api.example.com:1410/v1.1/users/signin, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, kCFStreamErrorDomainKey=3, NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <71350D43-9801-46F2-9F9E-333AF09964CE>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <71350D43-9801-46F2-9F9E-333AF09964CE>.<1>"
), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://api.example.com:1410/v1.1/users/signin, NSUnderlyingError=0x600002db3d50 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFNetworkCFStreamSSLErrorOriginalValue=-9816, kCFStreamErrorDomainKey=3, kCFStreamErrorCodeKey=-9816}}, kCFStreamErrorCodeKey=-9816} [-1200]
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made.
Here is the screenshot
I'm not sure how to solve it. Any ideas?
You probably need to reconfigure your SSL certificates. I know for TCP/TLS at least, with iOS 13 they imposed more restrictions on the certificates. I created a package to handle sockets on iOS - I also included a lot of good info about making certificates how you need to now.
https://github.com/eamonwhiter73/IOSObjCWebSockets/tree/master
I've been trying to get the iOS simulator to play nice with our internal dev servers.
I've installed the root CA by dragging it to the simulator. It's enabled by default but I toggled it on/off anyway just to be sure.
I connected via safari and got the error in the title. Connected via the app (actually XCTest) and got:
2020-03-30 11:45:53.001800+0300 xctest[20258:5222958] [] nw_coretls_callback_handshake_message_block_invoke_3 tls_handshake_continue: [-9812]
2020-03-30 11:45:53.001 xctest[20258:5222959] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
2020-03-30 11:45:53.004 xctest[20258:5222951] Error in <file/line>: Optional(Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<domain>” which could put your confidential information at risk." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fd53fd12480>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, NSErrorPeerCertificateChainKey=(
"<cert(0x7fd546009200) s: <domain> i: <CA>>"
), NSUnderlyingError=0x7fd541a157e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fd53fd12480>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x7fd546009200) s: <domain> i: <CA>>"
)}}, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<domain>” which could put your confidential information at risk., NSErrorFailingURLKey=https://<url>, NSErrorFailingURLStringKey=<url>, NSErrorClientCertificateStateKey=0})
I've connected from chrome on Mac and it works fine. I actually copied the CA from the mac's keychain to the simulator.
Went over the checklist from https://support.apple.com/en-us/HT210176:
key size = 4096
hash algorithm is SHA-256 RSA
there's a DNS name in the SAN (but also in CN). It says CN names are not trusted but it doesn't say they're not allowed.
There's a value in EKU
It's valid for two years
I've also compared the certificate as presented in Safari iOS to that in Chrome Mac. Looks fine.
Finally, I've installed 10.3 on the simulator just to rule out some new bug/restriction.
Running on Catalina/Xcode 11.4
I'd appreciate help in one of the following:
An actual solution
Help diagnosing this. A link to more up to date requirements or a tool to see why the cert is failing.
I am working on the server side of a system here, but I have an iOS question. There is a team (Different time zone, so not online now) who are calling a REST API I provide, using an iOS app. iOS 12, I am pretty sure. They mailed me earlier to say that it's "Hanging" and send me the following log. I know iOS doesn't like self-signed certs, so I made a custom CA, and signed a cert for my server. I sent them the Custom CAs, (Issuing and Root) and they appear to have installed them correctly as profiles on iOS. Does the trace below make any sense to anyone? I know this a bit hand-wavy, but we are up against the wire on a regulatory project, and I'd really appreciate any insight that I could offer to my App Development friends.
Error Domain=org.openid.appauth.general Code=-5 "(null)" UserInfo={NSUnderlyingError=0x280d86bb0 {Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x2831eb180>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<cert(0x13e094e00) s: rhaxwayvd1.mid.xxx i: XXX plc Issuing CA 1>",
"<cert(0x13e095800) s: XXX plc Issuing CA 1 i: XXX plc Root CA>",
"<cert(0x13e096200) s: XXX plc Root CA i: XXX plc Root CA>"
), NSUnderlyingError=0x280d85b30 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x2831eb180>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x13e094e00) s: rhaxwayvd1.mid.xxx i: XXX plc Issuing CA 1>",
"<cert(0x13e095800) s: XXX plc Issuing CA 1 i: AIB plc Root CA>",
"<cert(0x13e096200) s: XXX plc Root CA i: AIB plc Root CA>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://rhaxwayvd1.mid.xxx:8445/XXXApp/TokenExchange, NSErrorFailingURLStringKey=https://rhaxwayvd1.mid.xxx:8445/XXXApp/TokenExchange, NSErrorClientCertificateStateKey=0}}}
OK, lack of knowledge on my part, but I'll post the answer, in case it helps someone in future. Although I mailed the Custom CA Cert to the iOS tester, and he installed it as a profile, that's not enough.
It is necessary to specify that you trust this CA on the device. This is done by navigating on the device settings to:
settings->general->about->Certificate Trust Settings
There you will see the newly installed Custom CA. It is switched off by default, so needs to be switched on.