Web service were working fine. All of a sudden webservice started throwing NSURLErrorDomain Code=-999 "cancelled".
We tried to get the response in POSTMAN and response was same. We disabled the SSL certificate option in POSTMAN and server started responding. Android uses the same web services and its working fine with them. iOS we have integrated AFNetwroking to get consume web service. I have googled around and it set the "self.securityPolicy.allowInvalidCertificates = YES;""
However still the response from server to iOS device is NSURLErrorDomain Code=-999 "cancelled.
Is there anyway where we don't allow the webservice to validate with SSL certificate.
Related
We have developed app iOS app using Xamarin.
It's working well in my test devices. My client is running into an issue of SSL error when he is using cellular connection.
Same app is running perfectly fine when he is using Wifi connection.
I am using Modern HTTP client to make web connection to use native APIs.
I have also tested app in IPV6 environment and it is also working fine.
Settings of App transport security are okay that I have verified. [If error is here then it should come all time irrespective of connection type.]
Issue is at remote end so, I dont have too much opportunity to experiment with various settings, debug and see what is causing this issue.
Having any clue or direction would be really helpful.
Note: Using third party online tools we have verified that our server is ATS compliant and using TLS 1.2
Stacktrace
System.Net.WebException: An SSL error has occurred and a secure connection to the server cannot be made. ---> Foundation.NSErrorException: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=MYURL, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3,
_NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <5C93BDAD-10CE-478B-9D72-5AA02AA84617>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <5C93BDAD-10CE-478B-9D72-5AA02AA84617>.<1>"
), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=MYURL, NSUnderlyingError=0x282ea41e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)"
UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9816, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9816}}, _kCFStreamErrorCodeKey=-9816}
Update
We have updated server instance and that has made this issue random instead of all time producing. Removed HTTP client but still issue is there. We are neither getting steps or situation to produce it all time nor fix.
"I am using Modern HTTP client to make web connection to use native APIs."
This is likely the cause of your problem. This was something that was true several years ago. However Xamarin HttpClient already uses native APIs (you can set that in the project properties), while Modern HTTP client hasn't been updated for years and likely has some problems by now.
Is the connection failing all the time or sometimes? If the latter, then the bottom could help.
I'm not sure if this is the case, might be worth checking. But, we also had a similar issue on some Cellular Providers. What happened was the SIM had no more data (hit the limit), so the Provider would initially allow connection but cut it in the middle. This would show as an SSL error.
In our case, we could not do anything about it since it was the Cellular Provider's specific implementation.
My website connects with JavaScript to a JavaServer Websocket (Tomcat 7.0.76). I use Secure Websocket (wss) and all works as expected on Chrome (Windows/Linux), Android and older iOS devices, but on newer iOS devices, I get the following error:
WebSocket connection to 'wss://****' failed: Error during WebSocket handshake: 'Connection' header value is not 'Upgrade'
But my SSL certificate is accepted by new iOS, I have no security warnings/problems navigating through the website via https.
Also, the websocket connection works over ws:// (by navigating to the site over http).
I think I have to modify the http header sent from the server, but no idea how to do that.
I am very grateful for any advice.
While making http request, app is working fine but when the https url is hit, following error occur -
NSURLSession/NSURLConnection HTTP load failed(kCFStreamErrorDomainSSL, -9813)
Already tried solutions -
Ignoring certificate errors with NSURLConnection
How to use NSURLConnection to connect with SSL for an untrusted cert?
but no success.
Could someone provide a working solution?
I think we just discovered a bug on iOS 9 (version as of Oct 23rd 2015) when using client SSL certs to talk to a backend API. In common with a lot of REST services, our API generates 4xx error codes to communicate status. One of those is a 403 Forbidden error when a client tries to access paths that a specific client ID is not authorized to access. Note that this HTTP error occurs AFTER the client SSL cert has setup a valid connection & and the client ID has been authenticated.
In iOS 9, this sequence will generate an invalid client SSL error:
FAILED: Error Domain=NSURLErrorDomain Code=-1206 "The server “our.server.here” requires a client certificate."
(note: this a followup to my tweet here: https://twitter.com/ckmaresca/status/657576686318256128 - I figured SO is the place most people will search for this)
It took us days to finally figure out but it turns out that this particular error is generated by Apple's new Application Transport Layer security. Specifically, it seems that if you are using client certs and your backend API generates an HTTP 403 error, ATL believes that the cert is bad and kills the entire transaction.
We know this because we can see in our server logs that the request goes through and executes properly. We've also observed that the socket stays alive trough the request and this error only shows up after the response from the server is received. We also know our client cert works since any path not returning a 403 works with zero errors and changing the HTTP error code to 401 makes this problem go away.
This is problematic for a number of reasons, but mostly because HTTP errors are not SSL errors. The two can operate independently and it's perfectly possible to have a 403 error with a valid client side SSL certificate....
The work around is to change all your 403 errors to something else. I would note that a large number of Oauth1/2 servers will generate various 403 errors, so this might be non-trivial. Alternatively, it might be possible to use a reverse proxy to remap HTTP 403 errors to a different HTTP code - we have not tested this.
We have filed a bug with Apple, but I wanted to give people a heads up so maybe they can avoid banging their heads against a wall like we did for a week....
Thanks to the Sherbit.io enginnering team (specifically Varun & Matt) for debugging this.
I have this setup:
A tomcat server configured to use ssl client certificate authentication (clientAuth=true)
An ipad with a valid client certificate installed on it (emailed as a .p12 file and visible under profiles)
When browsing via ios safari, the ipad uses the client cert and authenticates against the server fine.
However in code, using a NSURLConnection, it won't connect. Debugging on the server shows the client isnt sending and cert at all.
On the client I get an error like this:
Request(https://192.168.1.5:8443/device/security/policy>, 0, 0)) didFailWithError:Error Domain=NSURLErrorDomain Code=-1205 "The server “192.168.1.5” did not accept the certificate." UserInfo=0xe2eae30
{NSErrorFailingURLStringKey=https://192.168.1.5:8443/device/security/policy>, NSErrorFailingURLKey=https://192.168.1.5:8443/device/security/policy>, NSLocalizedDescription=The server “192.168.1.5” did not accept the certificate.,
NSUnderlyingError=0xe2eb250 "The server “192.168.1.5” did not accept the certificate.", NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0xe6ab010>}
I understand I can implement the delegate method for the challenge for the NSURLAuthenticationMethodClientCertificate protection space, but if I do that I dont have the certificate to send, its installed on the device and that isnt accessible via code (is it??)
I tried calling [challenge.sender performDefaultHandlingForAuthenticationChallenge:challenge] but that appeared to have no effect.
I was expecting that NSURLConnection would behave as per safari and access the installed certificate, but it appears not. I dont want to have to install the certificate into my app somehow - thats what the built in certificate management is for!
Or am I missing something? Any help appreciated.
Fundamentally you can't get at globally installed certificates from within an app in iOS (as of iOS 8), and the operating system won't help you out by sending them with an NSURLConnection. Safari has special rights to access the certificates. So the only way to use them from within an app is to install them into the app somehow, which makes the whole thing difficult.