I have an iOS App that I am compiling in Xcode 11.2.1. I am running MacOS Catalina 10.15.6.
My app consumes a Web Service that works fine when called unsecured over http.
I am now busy implementing security and we have bought a wildcard certificate from digicert and installed it on our API server. I have run the SSLLabs Server Security Test and the server gets an A-grading so all seems fine. We have updated the Android version of the app to use https instead of http and it is working fine. When I access the https endpoints from a browser it works fine and I don't get any security warnings or errors.
However, if I change from http to https and build and run the iOS App I get TLS errors. (I am calling the web service using URLSession and I am using Swift). I am putting a relevant section of the error log below to show the -9802 and -1200 errors I am getting.
ATS failed system trust
Connection 1: system TLS Trust evaluation failed(-9802)
Connection 1: TLS Trust encountered error 3:-9802
Connection 1: encountered error(3:-9802)
...
finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600001082b50>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
I found https://support.apple.com/en-us/HT210176 and I was wondering if it is perhaps an issue that the "Subject Alternative Name" in our cert is our wildcard domain "*.domain.com" whereas the url we are connecting to is "myapi.domain.com". Could that be the problem? What else could I be missing?
In case someone else stumbles upon this...we ended up adding the specific subdomain we're calling in the API from our app to the "Subject Alternative Names" field on the certificate. So instead of just having "*.mydomain.com" in the Subject Alternative Names, we included both "myapi.domain.com *.mydomain.com". After we deployed this certificate to the server and we again tried calling myapi.domain.com from our app, the error went away and everything worked. (For those worried that this requires the purchase of a new certificate...it doesn't. It's quite possible to get such a copy of your certificate without having to buy a different one. Just check the documentation of the certificate issuer you are using.)
Related
I've disabled SSL Certificate Validation under General Settings because my WordPress site is using http.
But I am still still getting "Failed to connect to api.twilio.com port 443: Connection refused" on live and test credentials."
I've also purge caches on the browser.
I am using the guide from https://www.twilio.com/blog/2017/08/send-sms-wordpress-php-plugin.html.
Does the setting takes time to remove the SSL certification validation or what else could go wrong?
Answered by Twilio support "All connections to the Twilio API endpoints must use HTTPS and so if you have no SSL Cert for your Wordpress website it will refuse the request. You will need to get an SSL Certificate for your website in order to call the API endpoints from your Wordpress site/domain. Disabling SSL Certificate Validation setting on Twilio dashboard is for calls from Twilio to your servers, not the other way around."
I am also facing the same challenge while doing a POC to send SMS using twilio. This is the exception that I am getting.
Exception in thread "main" com.twilio.exception.ApiException: Connect to api.twilio.com:443 [api.twilio.com/54.209.184.12, api.twilio.com/52.45.186.111, api.twilio.com/52.4.111.215, api.twilio.com/52.5.142.82, api.twilio.com/54.165.83.5, api.twilio.com/54.84.239.1, api.twilio.com/52.45.52.233, api.twilio.com/52.72.204.95] failed: Connection refused: connect
at com.twilio.http.NetworkHttpClient.makeRequest(NetworkHttpClient.java:128)
at com.twilio.http.HttpClient.reliableRequest(HttpClient.java:42)
at com.twilio.http.HttpClient.reliableRequest(HttpClient.java:25)
at com.twilio.http.TwilioRestClient.request(TwilioRestClient.java:42)
at com.twilio.rest.api.v2010.account.MessageCreator.create(MessageCreator.java:402)
My cordova app needs to invoke a web services which is running in PHP.
All of the web services url's are "https". I am getting the below error when I tried to run the app with https url in iphone/ipad device.
I tried to debug the app using Safari web Inspector. I am getting below error.
Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “api.xyz.com” which could put your confidential information at risk.
Need some help to resolve this.
My app needs to connect to an internal web server through https.
The server has a self-signed certificate that is valid until next year:
I have installed this certificate in the iOS Simulator and on the device (Certificate.cer):
I am watching the traffic with Charles and the request does not even "leave" my computer.
The problem seems to be due to the SSL Certificate because when I can access the server through the internal url and the port 8080 everything works fine.
I did try the hack with the category allowsAnyHTTPSCertificateForHost:. This did not work in the simulator as well as on the device.
There seems to be official API to do this: How to use NSURLConnection to connect with SSL for an untrusted cert?
However, since this is only my development environment I would prefer not to change my code base for now. Plus I am using a framework to parse my data and I might have to deeply interfere with that framework to get to the API described above.
So my question is, should it not be possible to install the certificate and then use the server as if there was an official SSL certificate.
Email the self-signed certificate to yourself then open it on your iPhone. You will be taken through the steps to install the certificate on your phone.
In iOS 8.1 we are getting random SSL errors.
There is no issue at the sever and it seems like iOS device issue. AWS support has checked the SSL configuration and the certificate in server, but didn't find any issue.
Error message is this - "An SSL error has occurred and a secure connection to the server cannot be made. (NSURLErrorDomain:-1200)". We are using NSURLConnection to make network connections.
Many of our users started getting this error recently and all were in in iOS 8.1. Is this a known bug?
I have exactly the same issue with iOS8.1 user on my website
on the server side, i have this error :
No hostname was provided via SNI for a name based virtual host
it seems that iOS8.1 doesn't support very well SNI.
The workaround is to configure your webserver tp accept client that doesn't support SNI and set the virtualhost and certificate you want "no SNI client" to be show by default for any all SSL virtualhosts
In apache you have to add :
NameVirtualHost *.443 #before the first SSL virtualhost which will have the default certificate.
SSLStrictSNIVHostCheck off # in this default virtualhost.
Sorry for my english (i'm french) and hope it will help
Since I update to iOS 7.1 I had to start using a secure conexion to be able to download the plist file, I received the following:
Mar 21 09:08:36 xx-iPad itunesstored[98] <Warning>: Could not load download manifest with underlying error:
Error Domain=NSURLErrorDomain Code=-1202 "Cannot connect to the Store"
UserInfo=0x16ec5500 {NSLocalizedDescription=Cannot connect to the Store,
NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,
NSLocalizedFailureReason=A secure connection could not be established. Please check your Date & Time settings.,
NSErrorFailingURLStringKey=https://mydomain/myappanme.plist,
NSUnderlyingError=0x16dd7fa0 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “mydomain.com” which could put your confidential information at risk.",
NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x16e04510>,
NSErrorFailingURLKey=https://anything/myappanme.plist}
My server it is configured like this:
We've got a wildcard certificate for *.mydomain.com. We moved it to a new server, and the certificate is valid for all browsers that we have tested. (IE, firefox, chrome, safari...). The certificate is the tipical CRT with a bundle/intermediate certificate from GoDaddy and the key. The https site loads without issues. Apache 2.4 and Linux Fedora 20.
The download to install the app is:
itms-services://?action=download-manifest&url=https://mydomain/resources/myappanme.plist
Posible duplicated questions (try them all)
-)The certificate for this server is invalid
-)iOS Enterprise OTA distribution Unable to Download Application
-)http://www.nefkens-ict.nl/enterprise-build-does-not-install/
Thanks in advance
Try the below link, which will help you solving this certificate problem
http://cases.azoft.com/how-to-fix-certificate-is-not-valid-error-on-ios-7/
No issue in sharing the .ipa or apk file, for quick round, you can use below link to share binary file's, using multiple recipients...
URL:
thebetafamily.com/supersend/