Misdirected Request happening on Apple devices - ios

An annoying and persistent issue that I've been facing is a "Misdirected Request Error The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection" when carrying out an AJAX request from my front end to the back end. CORS origin has been taken care of. The weird thing is that this issue only occurs with Apple devices (iPhone/Mac Book) on Safari and Chrome. Other Android and Windows devices work seamlessly. I tried purchasing an additional dedicated SSL certificate to my domain which includes two subdomains (the frontend and backend) from GoDaddy.
Any other tips/solutions please?

Issuing a separate SSL certificate for the two sub-domains did the trick. Make sure that the two sub-domains are not grouped under the same certificate.

Related

Network Sniffing/SSL Pinning : Not able to get post through the login page in a mobile app when detecting traffic with Fiddler

I am debugging network calls of one of the client's application whom code I am not having. The steps I have gone thorough is as below.
1) Install fiddler in a windows system.
2) unable HTTPS decryption.
3) set the system proxy to match the client's country. (USA)
4) install the app on iOS to which is on same network.
5) Installed the Fiddler certificate in phone, added to trusted certificate
6) Applied the manual proxy matching the same internal IP of the windows system. (not the system proxy of USA)
Now when I open the app, I am able to trace the network calls till login page. Also able to detect network call which send the credentials.
But after loading for 5-8 seconds, the app shows "something went wrong, we are unable to serve you"
I am not able to see any trace of my machine IP (internal IP), in network calls being sent. I changed my phones Timezone in case that is the triggering point for stop serving.
Also randomly after 2-3 attempts the following popup comes. I have set the Client Certificate as asked, which was downloaded from http://ipv4.fiddler:8888 .
There are many other apps for which I am able to see the entire network calls but not for this specific one.
Is there any issue in my system settings or the app provider have mechanism to identify man in the middle proxies. Or certificate issues?
Update 1 : I checked the fiddler log and found the below error
HTTPS hand shake to TargetURL failed The exact error was "a call to SSPI failed, see inner Exception, the certificate chain was issued by an authority that is not trusted. is this case if SSL Pinning?
You are mixing up the certificates. Usually the problem is the server certificate, however in your case the problem arises from a client certificate. A SSL client certificate is a optional feature that allows to identify a user based on a certificate + private key instead of username+password. It is often used in companies where each user has a certificate+private key on a smart card.
There are now two possibilities:
The iOS app includes a client certificate+private key and the app developers use this to protect the communication API (a bit similar like an API key). In this case you have to extract the certificate and the private key and provide it to Fiddler. Most likely certificate and private key are the same for every device world-wide and can be found as static resource in the iOS app (potentially obfuscated or somehow protected).
The server asks for a client certificate but providing a certificate is optional. I don't know if Fiddler can handle this situation.

NSURLErrorDomain after SSL certificate renewal in iOS app using AFNetwork

We have an old iOS app which was using HTTPS to access the APIs. The app was working fine till a few days ago. The SSL certificate in question expired a few days ago. The app started giving the following error:
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “xxx.xxx.com” which could put your confidential information at risk."
So we renewed and re-keyed the SSL certificate. Now when I access the HTTPS url from browser (chrome) it works properly and shows the green lock on the left before the url. When I click on the lock icon it shows valid certificate information. But when the same URL is accessed from the App I still get the same error.
The AFNetworking being used is from 2011, since this is an old app. Since the app is already on AppStore, I am looking for a server side fix.
Have you seen something like this before? If yes how did you solve it?
Regards,
Pritam.
Yes I have seen something like this before and the good news it that it IS a server side fix. Browsers often cache third party certs and will therefore ignore minor problems with your certificate chain, which is what appears to be the issue in your case. However, your app code does not trust the certificate chain that your website has given it.
Download an app called SSL detective and use it to query your website for the certificate chain. You will probably see that one of the parts is red/untrusted and you should seek to make sure that the ENTIRE chain is trusted. Chances are, you will need to make some changes to your server side certificate setup.

JMeter - How can I use the proxy with secure mobile pages?

I'm using JMeter's proxy to record the HTTP traffic from a mobile app.
It works fine with non secure HTTP requests, but when I try to make a HTTPS request I get an error: "The certificate for this server is invalid" (see screenshot below).
This is of course expected. If I'm on a PC I can simply click on "accept bad certificate" (or something like that) but this isn't an option for my mobile app (I'm testing amazon's app for example).
Is there a way to get my iPhone (or other mobile device) to accept JMeter's certificate?
Is there another way to do this with a REAL mobile device?
edit:
Some of the answers talk about how to modify my app.
I can't modify the app myself - so I need a solution that doesn't require any app modification.
After some research I found this link:
http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to-ios-ipad-iphone/
Which almost works :)
The comments say that in iOS 6 and up using a MD5 doesn't work, and the default key JMeter is using is MD5.
Any thoughts?
Update Feb 13, 2014:
I had given up on this originally, but recently came across an article about using Charles proxy with a real device to capture SSL traffic by adding a certificate to your iPhone. After following the instructions here it works!
http://www.charlesproxy.com/documentation/faqs/ssl-connections-from-within-iphone-applications/
So now I know a solution IS possible, but I'm still stuck on how to get it to work - now using JMeter 2.11 and iOS 7
Thanks
Ophir
These related questions may be helpful:
iphone: secure restfull server "The certificate for this server is invalid
HTTPS Service is not working
HTTPS post request in IOS
I just happened to write an article on that given the new restrictions on iOS 13. In a nutshell:
Generate a certificate.
Import it into your proxy tool (I used OWASP ZAP).
Import the certificate into iOS and add it as a trusted authority.
Access iOS’ proxy settings and point it to your computer.
Full details in the article link below. Hope you find it helpful.
Best regards,
Andre
https://link.medium.com/gcU2SYZtn4

How many SSL certificates I must buy in a service oriented system?

I am using Ruby on Rails 3 and I would like to know some information in order to buy SSL certificates.
I have a RoR application at this URL
pjtnam.com
and another RoR application at this URL
users.pjtname.com
If I make an HTTPS request from the application pjtname.com to the application users.pjtname.com like this (in this example I use the Typhoeus gem)
Typhoeus::Request.get(https://users.pjtname.com/sign_in)
and I must receive the response over HTTPS protocoll, how many SSL certificates I must buy?
UPDATE
How many SSL certificates I must buy if
my pjtname.com and users.pjtname.com applications are located on different server?
my applications are pjtname1.com and pjtname2.com and they are located on different server?
If done properly, just one; a wildcard certificate for '*.pjtname.com' and 'pjtname.com' (it's possible to include more than one name in a single certificate).
While you could instead get a certificate for 'pjtname.com' and 'users.pjtname.com', such a certificate would no longer be sufficient when you later decide you need a 'mail.pjtname.com' or a 'chat.pjtname.com' or whatever. The wildcard would cover these future cases.
re: update
It doesn't matter if services are located on different servers; just put the certificate on both servers.
It's possible to have both 'foo.com' and 'bar.com' in a single certificate, just like you can have both 'pjtname.com' and 'users.pjtname.com'. However, it might more difficult to acquire the foo/bar certificate than the pjtname.com/users.pjtname.com.
Also, these answers are true regardless of platform.

iphone: is there any secure way to establish 2-way SSL from an application

I need to establish a HTTPS 2-way SSL connection from my iPhone application to the customer's server.
However I don't see any secure way to deliver the client side certificates to the application (it's an e-banking app, so security is really an issue).
From what I have found so far the only way that the app would be able to access the certificate is to provide it pre-bundeled with the application itself, or expose an URL from which it could be fetched (IPhone app with SSL client certs).
The thing is that neither of this two ways prevent some third party to get the certificate, which if accepted as a risk eliminates the need for 2-way SSL (since anyone can have the client certificate).
The whole security protocol should look like this:
- HTTPS 2-way SSL to authenticate the application
- OTP (token) based user registration (client side key pair generated at this step)
- SOAP / WSS XML-Signature (requests signed by the keys generated earlier)
Any idea on how to establish the first layer of security (HTTPS) ?
Ok, so to answer my own question...
It turned out that the security has no fixed scale of measurement.
The security requirements are satisfied as long as the price for braking the system is significantly above the prize that one would get for doing so.
In my situation we are talking about e-banking system, but with somewhat low monthly limits (couple of thousands USD).
As I mentioned in my question there would be another layer of security above the HTTPS which will feature WSS XML-Signatures. The process of registering the user and accepting the his public key is also done in several steps. In the first step the user sends his telephone number together with a cod retrieved somehow from my client. Then an SMS is sent to the user with a confirmation code. The user enters the confirmation code into a OTP calculator that would produce OTP code which will identify the user. Then the public key is sent to the server together with the OTP code. From here on every request would be signed by the private counterpart of the public key sent to the server earlier.
So the biggest weakness for the whole process is that of someone reverse engineers the application and retrieves the client certificate used for the SLL. The only problem arising from this is that someone might observe users' transactions. However in order for someone to make a transaction he would need the user's private key, which is generated, encrypted and stored into the keychain. And the price for braking this security level is VERY HIGH.
We will additionally think on how to protect the users' data on a higher level (e.g. using WSS Encryption), but for the start I thing we are good with the current solution.
any opinion ?
regards
https doesn't really work this way. In a nutshell, you attach to a secure server where the certificates are signed by a well known authority.
If you use Apples (iPhone) classes for this, they will only accept 'good' certificates. By good, I mean what Apple deems as acceptable. If you don't use them (there are alternatives in the SDK), you won't be able to connect (except, maybe, in the case where you have an 'Enterprise' developers license - but I can't say that with 100% certainty as I haven't looked enough at this license to be sure)
To continue, use your https connection to your correctly signed website and then institute some sort of login with a built in username/password, or challenge/response based upon the unique ID of the iPhone (for example) and exchange keys using that connection.
Note that this means that your application will have to query for new certificates at (each connection/every X connections/every month/application specified intervals) to keep them up to date. You can then use these certificates to connect to the more secure server.
[edit]
Check this post - may have more information about what you're asking to do
[/edit]
[edit2]
Please note that the request is iphone, not OSX - app store approval is an issue
[/edit2]

Resources