We have developed app iOS app using Xamarin.
It's working well in my test devices. My client is running into an issue of SSL error when he is using cellular connection.
Same app is running perfectly fine when he is using Wifi connection.
I am using Modern HTTP client to make web connection to use native APIs.
I have also tested app in IPV6 environment and it is also working fine.
Settings of App transport security are okay that I have verified. [If error is here then it should come all time irrespective of connection type.]
Issue is at remote end so, I dont have too much opportunity to experiment with various settings, debug and see what is causing this issue.
Having any clue or direction would be really helpful.
Note: Using third party online tools we have verified that our server is ATS compliant and using TLS 1.2
Stacktrace
System.Net.WebException: An SSL error has occurred and a secure connection to the server cannot be made. ---> Foundation.NSErrorException: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=MYURL, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3,
_NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <5C93BDAD-10CE-478B-9D72-5AA02AA84617>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <5C93BDAD-10CE-478B-9D72-5AA02AA84617>.<1>"
), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=MYURL, NSUnderlyingError=0x282ea41e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)"
UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9816, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9816}}, _kCFStreamErrorCodeKey=-9816}
Update
We have updated server instance and that has made this issue random instead of all time producing. Removed HTTP client but still issue is there. We are neither getting steps or situation to produce it all time nor fix.
"I am using Modern HTTP client to make web connection to use native APIs."
This is likely the cause of your problem. This was something that was true several years ago. However Xamarin HttpClient already uses native APIs (you can set that in the project properties), while Modern HTTP client hasn't been updated for years and likely has some problems by now.
Is the connection failing all the time or sometimes? If the latter, then the bottom could help.
I'm not sure if this is the case, might be worth checking. But, we also had a similar issue on some Cellular Providers. What happened was the SIM had no more data (hit the limit), so the Provider would initially allow connection but cut it in the middle. This would show as an SSL error.
In our case, we could not do anything about it since it was the Cellular Provider's specific implementation.
Related
My app fetches resources from AWS bucket (accessed thru a cloudfront).
Some of the users fails to fetch the data due to
NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."
As we use AWS service I assume that the SSL certificate is fine, the fact that it happens to a small (but not small enough) portion of the users should say that the SSL certificate is OK.
Any other post I saw about this issue suggested to add a flag to App Transport Security Settings in info.plist file that will allow unsecured connection. This is not something I can (or want) to do.
Thanks for the help :)
This might happen if you're using a VPN.
But will also happen if you're using a proxy tool like Charles Proxy but haven't installed/trusted the Charles Proxy certificate.
It also happened to me when I was on a public wifi network. It seemed that some how the public wifi was doing some sort of a MITM to maybe add some ads. I didn't face the same problem when I was using LTE or a non-public wifi
I found this solution from the Apple Developer Forums which does not involve modifying the App Transport Security Settings:
And you shouldn’t need an ATS exception in your scenario. The
approach I recommend is as follows:
Set up a custom certificate authority (CA) within your organisation (many organisations already have this).
Have it issue a certificate for your private server.
Use MDM to install your organisation CA’s root certificate on your devices.
I have a problem when downloading a map-offline from Sygic Server. Xcode show this error :
Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSErrorFailingURLStringKey=http://cdn-sygic.*************/in-app-data/maps/********************/******.poi, NSErrorFailingURLKey=http://cdn-sygic**************t/in-app-data/maps/********************/******.poi,
I configured perfectly the info.plist to support the download and previously It works fine.
Web service were working fine. All of a sudden webservice started throwing NSURLErrorDomain Code=-999 "cancelled".
We tried to get the response in POSTMAN and response was same. We disabled the SSL certificate option in POSTMAN and server started responding. Android uses the same web services and its working fine with them. iOS we have integrated AFNetwroking to get consume web service. I have googled around and it set the "self.securityPolicy.allowInvalidCertificates = YES;""
However still the response from server to iOS device is NSURLErrorDomain Code=-999 "cancelled.
Is there anyway where we don't allow the webservice to validate with SSL certificate.
getting an intermittent SSL error on iOS.
I've turned off ATS, and we know this happens on OS versions < iOS9 as well
Error Domain=NSURLErrorDomain Code=1011 "An SSL error has occurred and
a secure connection to the server cannot be made."
UserInfo={NSLocalizedDescription=An SSL error has occurred and a
secure connection to the server cannot be made.,
NSLocalizedRecoverySuggestion=Would you like to connect to the server
anyway?, _kCFStreamErrorCodeKey=-9806 NSErrorFailingURLStringKey=, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x1471b600
from our crittercism logs, seems like some users are able to replicate this. but we have not been able to
Would you like to connect to the server anyway?<-- this makes me suspect that there was an authentication challenge. how can i verify that?
kCFStreamErrorCodeKey=-9806 <-- does anyone know what this error means?
Edit:
-9806 means errSSLClosedAbort
http://www.opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/Security/SecureTransport.h
what can cause this? i don't think this is due to a spotty network because from our tracking tools, SSL connections to other hosts seem ok. and when a user hits this issue, it is re-produceable. seems to me like we need to inspect the failure with wireshark to get further information. but we have not been able to re-produce this. does anyone have ideas logging more information from apps in the wild to debug this?
The server SSL certificate is failing the built-in certificate validation. It is up to you to decide how to handle this and present a correct remediation to the user. This can happen for many reasons.
SSL trust evaluation is described in detail in Technical Note 2232: SSL Trust Evaluation.
I've had similar errors in a few scenarios:
The server was getting accessed via https://www.domainname.com instead of https://domainname.com (note the "www.") in which case because of how I signed the cert was making it invalid. (I later found how to make the cert valid for both addresses and used the virtualHost and htaccess to always push to www.jeremiedaigle.com)
I had a load bearing server which was improperly setup. One of the servers had the cert, the other didn't.
Last, I have also encountered this issue when debugging and trying to use a self signed cert because I was using a proxy (CharlesProxy) middleman to debug my requests. the Middleman cert, in this case had to be trusted by the device. You can do this by sending the cert via email and opening it on the device.
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
I have a Ruby on Rails app that uses SSL. I run the server using thin start --ssl. Every time I launch the server and access the app, I get a warning saying that the SSL certificate is not verified. That is not a problem as long as I stay in Rails. However, my app also has an API and I am developing an iPhone client app for it. When I do a request from the iphone app to the local Rails server, I get the following error:
2013-03-24 12:30:09.680 OAuth2Test[44541:c07] Error: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk." UserInfo=0x8832730 {NSErrorFailingURLStringKey=https://oauth.lvh.me:3000/oauth/authorize?client_id=23b8921e8db833a33ac7a058b93183a1496f56a6eea4f6c597291106f80a37d0&redirect_uri=https%3A%2F%2Fcatapultcentral.com%2FiOSClientCallback&response_type=code, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=https://oauth.lvh.me:3000/oauth/authorize?client_id=23b8921e8db833a33ac7a058b93183a1496f56a6eea4f6c597291106f80a37d0&redirect_uri=https%3A%2F%2Fcatapultcentral.com%2FiOSClientCallback&response_type=code, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk., NSUnderlyingError=0x8944cd0 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk.", NSURLErrorFailingURLPeerTrustErrorKey=}
In my opinion, the key part of this error is: "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk.". By the way, I test my iPhone app in the iPhone Simulator.
So, if I am correct, there are three solutions to this problem:
Deploy my API to the staging server and develop the iPhone app against that. At the moment, all the API-related code is not deployed, and I'd rather not deploy it until it is in a stable state. So that is not an option.
Develop the iPhone app in a certain way so that it doesn't verifies the SSL certificate. I do not like this approach and I don't even know how to do it...
Get a local verified SSL certificate (fake the verified state or something). I don't know how to do that but that seems like the best option.
I tried to follow a tutorial on how to generate a self certified SSL certificate and then run the Rails server with thin start --ssl --ssl-verify --ssl-key-file server.key --ssl-cert-file server.crt but that didn't work (the created SSL certificate is still not verified).
So how can I solve my problem please?
You should create a root CA and use it to create your SSL certificates, and add that root CA to your iPhone.