I searched a lot about my issue and I tried different solution, but it doesn't work :/
Link what I tried:
NSURLSession/NSURLConnection HTTP load failed on iOS 9
2016-06-24 10:51:56.760 <App Name>[1817:1004680] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
UPDATE
After adding the lines below:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
I get this error:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
But when I follow the introduction of developer apple everything should be fine:
nscurl --ats-diagnostics --verbose result
I figured it out. I had to add the following lines in Classes/AppDelegate.m above the #implementation AppDelegate:
#implementation NSURLRequest(DataController)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host{
return YES;
}
#end
What I'm using:
cordova version 5.3.3
platform: iio 4.2.0
helpful link: NSURLConnection/CFURLConnection HTTP load failed ionic
Related
I am a developer of an react-native application for iOS.
When I perform HTTPS request via react fetch invocation I got this exception.
2017-08-01 09:18:07.199 [info][tid:com.facebook.react.JavaScript]
'REQUEST_DATA: ', { method: 'GET',
headers:
{ Accept: 'application/json',
'Content-Type': 'application/json',
credentials: 'include',
Authorization: 'Basic MzI1MjM0NTo1MjU0' } }
2017-08-01 09:18:07.200 [info][tid:com.facebook.react.JavaScript] 'REQUEST_URL: ', 'https://10.36.6.186/mwprb/rest/personnel-number'
2017-08-01 09:18:07.287393+0300 MobileApp[2954:1413289] [] nw_coretls_callback_handshake_message_block_invoke_3 tls_handshake_continue: [-9812]
2017-08-01 09:18:07.287 UFSConfirmationMobile[2954:1411062] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
2017-08-01 09:18:07.291 [info][tid:com.facebook.react.JavaScript] 'GET ERROR: ', { [TypeError: Network request failed]
line: 29785,
column: 21,
sourceURL: 'http://localhost:8081/index.ios.bundle?platform=ios&dev=true&minify=false' }
For developer purposes I want to ignore HTTPS security. According to this guide (https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW40) I added flags to my Info.plist file. Now it looks like this:
<plist version="1.0">
<dict>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
.....
I checked via [[[NSBundle mainBundle] infoDictionary] objectForKey:#"NSAppTransportSecurity"] that my changes were applied, but I still get this exceptions.
As well I tried to use NSExceptionDomains
NSIncludesSubdomains
NSExceptionAllowsInsecureHTTPLoads
NSExceptionRequiresForwardSecrecy
NSExceptionMinimumTLSVersion
NSThirdPartyExceptionAllowsInsecureHTTPLoads
NSThirdPartyExceptionMinimumTLSVersion
NSThirdPartyExceptionRequiresForwardSecrecy
with this keys for domain, but it doesn't help too.
I run my app on a simulator of iPad Air iOS 10.3 on Xcode 8.3.3,
https on url works over TLS 1.2
I get the following error message (which is identical every try)
2016-07-20 20:09:28.013 MyApp[1140:374263] CFNetwork SSLHandshake failed (-9806)
2016-07-20 20:09:28.014 MyApp[1140:374263] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)
error=Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x154dda750 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://example.com:8080/api/login, NSErrorFailingURLStringKey=https://example.com:8080/api/login, _kCFStreamErrorDomainKey=3})
The certificate is a validated one provided by letsencrypt. I have tested my web server configuration over and over, and everything seems to be like it should.
Running the command openssl s_client -connect example.com:8080/api/login -tls1_2 gives all the expected results:
-It verifies the authority as DST Root CA X3, which is included in Apples root CA list
-The return is code is Verify return code: 0 (ok)
I have also run several ssl diagnostic tool websites such as digicert, which has given no error results.
I can load the domain from Safari ON the iOS device, as well as chrome from my computer without having to accept "untrusted certificates".
Any suggestions?
In case anyone encounter something the same problem, ill answer my own question.
At the time of the question, Let's Encrypt (the CA of the certificate used) did not support forward secrecy for their https certificates (atleast not the one I got). Apple by default required this in the iOS version used at that time (I believe it was around 9.5, but I might be mistaken here).
To get around the requirement of forward secrecy, this can be specified in the Info.plist under domain exceptions.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>example.com</key>
<dict>
<key>NSTemporaryExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
Sometime along the road, they changed this to default land on false. I am not sure when this was, but after iOS 10.0 it was never a problem.
First of all, I know there are a ton of similar questions, but none that I've seen seems to address my setup (nor any solution I found works). So bear with me...
My server host name is an IP address, not a domain name
(i.e., URL looks like: https://XXX.YYY.ZZZ.WWW:9443/etc...).
My server has a real certificate (i.e., not self signed).
My app's plist entry NSAppTransportSecurity dictionary is empty (no exceptions whatsoever - factory settings ATS).
This is production code and I can not disable ATS (nor do I think I could, given that exceptions only work with explicit domain names, not IP addresses).
(Testing on iOS 9, deployment target is iOS 8.x)
I am getting this error when I try to connect:
CFNetwork SSLHandshake failed (-9806) NSURLSession/NSURLConnection
HTTP load failed (kCFStreamErrorDomainSSL, -9806)
Error: An SSL error has occurred and a secure connection to the server cannot be made.
(Device and Simulator)
I tried to command line tool nscurl described here. I get:
Default ATS Secure Connection: CFNetwork SSLHandshake failed (-9806)
Allowing Arbitrary Loads: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813) ("The certificate for this server is invalid. You might be connecting to a server that is pretending to be “XXX.YYY.ZZZ.WWW” which could put your confidential information at risk.")
Configuring TLS exceptions for XXX.YYY.ZZZ.WWW: (TLS 1.2, 1.1 and 1.0) CFNetwork SSLHandshake failed (-9806)
Disabling Perfect Forward Secrecy: CFNetwork SSLHandshake failed (-9801)
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP: CFNetwork SSLHandshake failed (-9801)
TLSv1.2 with PFS disabled: CFNetwork SSLHandshake failed (-9801)
TLSv1.1 with PFS disabled: CFNetwork SSLHandshake failed (-9801)
TLSv1.0 with PFS disabled: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
TLSv1.2 with PFS disabled and insecure HTTP allowed: CFNetwork SSLHandshake failed (-9801)
...you get the drill.
I am having checked which TLS version the server supports (that is the biggest suspect, as far as I've researched), but perhaps there is something else I need to fix/check on the client side?
I think you need to inspect the cert on your server. You should be able to use the openssl client to investigate your certificate and get your server's ssl config:
openssl s_client -connect XXX.YYY.ZZZ.WWW:9443
You should get some details about the cert
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: //
Session-ID-ctx:
Master-Key: //
Key-Arg : None
Start Time: 1449693038
Timeout : 300 (sec)
Verify return code: 0 (ok)
Or, you can use a website like symantec to query the cert and see if you have met the requirements of TLS1.2, a strong enough key, and forward secrecy.
Also, you could try turning on CFNetwork Diagnostic Logging. Edit the Xcode scheme and add the CFNETWORK_DIAGNOSTICS environment variable. Set the logging level to 3 which is the most verbose:
The Xcode console shows the location of the log file:
CFNetwork diagnostics log file created at: /private/var/mobile/Containers/
Data/Application/A3421F00-451A-CD70-1B82-B163D1A3BB0F/Library/Logs/
CrashReporter/CFNetwork_com.sample.app_118.nwlrb.log
You could look into those logs to see if there is any more information as to why the network calls are failing.
2015-11-04 15:17:23.236 Testing[2504:80857] CFNetwork SSLHandshake failed (-9824)
2015-11-04 15:17:23.237 Testing[2504:80858] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
I did a little testing app with only a web view to show contents of this website:
https://ripemobileapps.com
Server supports SSL, TLS v1.2 and has GeoTrust certificate.
Test on https://www.ssllabs.com/ssltest/ gives A- grade SSL.
I really don't know what else can I do to open it. If I try to open https://www.google.com it works fine. For sake what else apple demands?
Use the nscurl command provided to test this. It will test all ATS settings.
nscurl --verbose --ats-diagnostics https://ripemobileapps.com
I have setup nodejs for SSL with certificates from ssls.com. When I run tests from the browser my certificates are found and things seem okay (excepting a couple of vulnerabilities are shown). I'm using sites like:
https://www.sslshopper.com/ssl-checker.html
https://www.ssllabs.com/ssltest/analyze.html
Notwithstanding I'm having trouble getting my IOS app to connect using a websockets library.
When I run this new diagnostic command:
nscurl --ats-diagnostics https://<mydomain.com> I get
nscurl[4714:325661] CFNetwork SSLHandshake failed (-9806)
nscurl[4714:325661] NSURLSession/NSURLConnection HTTP load failed
(kCFStreamErrorDomainSSL, -9806)
The more detailed log file doesn't seem to give much more info:
Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)"
UserInfo={_kCFStreamPropertySSLClientCertificateState=0,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}
Any ideas?