I am a developer of an react-native application for iOS.
When I perform HTTPS request via react fetch invocation I got this exception.
2017-08-01 09:18:07.199 [info][tid:com.facebook.react.JavaScript]
'REQUEST_DATA: ', { method: 'GET',
headers:
{ Accept: 'application/json',
'Content-Type': 'application/json',
credentials: 'include',
Authorization: 'Basic MzI1MjM0NTo1MjU0' } }
2017-08-01 09:18:07.200 [info][tid:com.facebook.react.JavaScript] 'REQUEST_URL: ', 'https://10.36.6.186/mwprb/rest/personnel-number'
2017-08-01 09:18:07.287393+0300 MobileApp[2954:1413289] [] nw_coretls_callback_handshake_message_block_invoke_3 tls_handshake_continue: [-9812]
2017-08-01 09:18:07.287 UFSConfirmationMobile[2954:1411062] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
2017-08-01 09:18:07.291 [info][tid:com.facebook.react.JavaScript] 'GET ERROR: ', { [TypeError: Network request failed]
line: 29785,
column: 21,
sourceURL: 'http://localhost:8081/index.ios.bundle?platform=ios&dev=true&minify=false' }
For developer purposes I want to ignore HTTPS security. According to this guide (https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW40) I added flags to my Info.plist file. Now it looks like this:
<plist version="1.0">
<dict>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
.....
I checked via [[[NSBundle mainBundle] infoDictionary] objectForKey:#"NSAppTransportSecurity"] that my changes were applied, but I still get this exceptions.
As well I tried to use NSExceptionDomains
NSIncludesSubdomains
NSExceptionAllowsInsecureHTTPLoads
NSExceptionRequiresForwardSecrecy
NSExceptionMinimumTLSVersion
NSThirdPartyExceptionAllowsInsecureHTTPLoads
NSThirdPartyExceptionMinimumTLSVersion
NSThirdPartyExceptionRequiresForwardSecrecy
with this keys for domain, but it doesn't help too.
I run my app on a simulator of iPad Air iOS 10.3 on Xcode 8.3.3,
https on url works over TLS 1.2
Related
I have a local server running on Laravel Homestead:
https://laravel.com/docs/5.3/homestead
Homestead comes pre-packaged with an SSL certificate and I make all my requests through HTTPS. However, when trying to make a request from my iOS app, I get the following error:
ATS failed system trust
Connection 3: system TLS Trust evaluation failed(-9802)
Connection 3: TLS Trust encountered error 3:-9802
Connection 3: encountered error(3:-9802)
Task <892C4896-1D02-4465-AF06-D7534BE39828>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802])
Task <892C4896-1D02-4465-AF06-D7534BE39828>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
"<cert(0x7fc76e82d800) s: mydomain.test i: Homestead homestead Root CA>"
)
I've added the following to my Info.plist:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsLocalNetworking</key>
<true/>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
After reading some articles and Github issues on SSL pinning through Alamofire and Moya, I've also done the following:
let evaluators: [String: ServerTrustEvaluating] = [
"mydomain.test": DisabledEvaluator()
]
let manager = ServerTrustManager(evaluators: evaluators)
let session = Session(serverTrustManager: manager)
let provider = MoyaProvider<T>(session: session, plugins: [NetworkLoggerPlugin(verbose: true)])
I also installed the certificate on my Mac and set it to "Always Trust", but I still get the error when I run my iOS app.
What am I doing wrong? What am I missing?
This is my solution, maybe not complete your question.
I don't use url as "myweb.local". I used direct IP and change port for app in developement. When you use port, you will not need to SSL.
Example:
127.0.0.1:8000
I'm trying to connect to my server which have custom CA root certificate.
I can connect to server with code in my custom AFURLSessionManager
NSSet *certificatesSet = [CryptoProCSP sharedInstance].certsContextSet;
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey withPinnedCertificates:certificatesSet];
securityPolicy.allowInvalidCertificates = true;
securityPolicy.validatesDomainName = false;
self.securityPolicy = securityPolicy;
but getting error
[] nw_coretls_read_one_record tls_handshake_process: [-9801]
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
[Error] POST '(null)' (0) [0.8155 s]: Error Domain=NSURLErrorDomain Code=-1200
"An SSL error has occurred and a secure connection to the server cannot be made."
I'm already changed my plist.info
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>domain.com</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>1.2</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
and server have TLS v1.2
I know problem is different cipher suites, i saw handshake, but how can i customise my request for using necessary cipher suites? I'm sending certificate, but thats not enough. TLS connection failed because of different cipher suites.
I searched a lot about my issue and I tried different solution, but it doesn't work :/
Link what I tried:
NSURLSession/NSURLConnection HTTP load failed on iOS 9
2016-06-24 10:51:56.760 <App Name>[1817:1004680] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
UPDATE
After adding the lines below:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
I get this error:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
But when I follow the introduction of developer apple everything should be fine:
nscurl --ats-diagnostics --verbose result
I figured it out. I had to add the following lines in Classes/AppDelegate.m above the #implementation AppDelegate:
#implementation NSURLRequest(DataController)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host{
return YES;
}
#end
What I'm using:
cordova version 5.3.3
platform: iio 4.2.0
helpful link: NSURLConnection/CFURLConnection HTTP load failed ionic
I've got an iOS app which uses SSL/HTTPS to communicate with a server. The server is providing a certificate that works over TLSv1.2 (the main requirement of App Transport Security). An example URL that demonstrates this (where the TLSv1.2 can be verified by checking the certificate) is https://api.branon.co.uk/checkOnline.
However, the app is throwing errors relating to the App Transport Layer - errors that, when Googled - imply it's because the server isn't working over TLSv1.2. An example error is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
and:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
I even added a bunch of exceptions to the plist file, such as:
<dict>
<key>NSExceptionDomains</key>
<dict>
<key><my top level domain - the app uses a subdomain - allowed below></key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
</plist>
but this doesn't change the result.
The certificate used is a free certificate issued from StartCom. My nginx config is below (just for reference).
server {
listen [::]:443 ssl;
listen 443 ssl;
ssl on;
ssl_certificate /root/ssl/<domain>.crt;
ssl_certificate_key /root/ssl/server.key;
server_name api.<domain>;
access_log /var/log/nginx/api.access.log;
error_log /var/log/nginx/api.error.log;
location ~ ^/([a-zA-Z]+)$ {
proxy_pass http://127.0.0.1:5000/$1;
}
}
Does anybody have any idea why this is happening?
Thanks!
Update:
Following the results of #Paulw11's suggested test (below) running nscurl, I decided just to try disabling App Transport Security entirely. I changed the App Transport Security dictionary in my plist to the below:
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
and am still getting the same error! So if it's not App Transport Security, what could be causing this? That error I'm getting again is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
The server does not provide a complete certificate chain in its SSL/TLS handshake. While some clients can handle this and build out a trust chain, others cannot.
You can find the missing intermediate certificate via https://whatsmychaincert.com/?api.branon.co.uk and serve it along with your site's certificate in your SSL configuration in nginx.
Do remember to remove any ATS exceptions that you may have put in place!
The format of the keys I use to allow older versions of TLS (for amazonaws, for example) looks like this:
<key>NSIncludesSubdomains</key>
<string>NO</string>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<string>NO</string>
The rest of the structure looks the same. At one point, we had this at the root level.
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
I'm testing an app in iOS9 and getting SSL errors with ATS loading images from amazon.com. All my stuff is being delivered over https but I'm still having issues.
I've added the correct ATS keys (worked on another app).
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>amazonaws.com</key>
<dict>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
I've been all over the forums, adc, and SO and I'm not having any luck.
I've tried removing ATS entirely, and I still get the same error.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Error:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey={type = immutable, count = 3, values = (
0 :
1 :
2 :
)}, NSUnderlyingError=0x7ffe70e2c690 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, kCFStreamPropertySSLPeerCertificates={type = immutable, count = 3, values = (
0 :
1 :
2 :
)}, _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, _kCFStreamErrorCodeKey=-9802}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSErrorFailingURLStringKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSErrorClientCertificateStateKey=0}
Static files: AWS Amazon
Host: Heroku
Backend: Django
APIs: Django Rest Framework
I've tried every configuration I could find on ATS, cleaned/reset/rebuilt, modified the Django requests (originally they included querystring authentication), etc. I'm stumped on this and blocked.
After I did a substring replace on https links -- I got the messages saying ATS was blocking them. I knew I had the correct keys in the Info.plist - so I figured it had to be another Info.plist somewhere.
It turns out that the there was an Info.plist in the resources but it wasn't doing anything. We had to add the ATS keys to the Info tab on the Target panel. Not 100% sure what the difference is on these two as I've always edited the Info.plist in the past.
I had to add amazonaws.com to Info.plist like you did and to user the SDWebImageAllowInvalidSSLCertificates as an option for the sd_setImageWithURL: method to get it working.