First of all, I know there are a ton of similar questions, but none that I've seen seems to address my setup (nor any solution I found works). So bear with me...
My server host name is an IP address, not a domain name
(i.e., URL looks like: https://XXX.YYY.ZZZ.WWW:9443/etc...).
My server has a real certificate (i.e., not self signed).
My app's plist entry NSAppTransportSecurity dictionary is empty (no exceptions whatsoever - factory settings ATS).
This is production code and I can not disable ATS (nor do I think I could, given that exceptions only work with explicit domain names, not IP addresses).
(Testing on iOS 9, deployment target is iOS 8.x)
I am getting this error when I try to connect:
CFNetwork SSLHandshake failed (-9806) NSURLSession/NSURLConnection
HTTP load failed (kCFStreamErrorDomainSSL, -9806)
Error: An SSL error has occurred and a secure connection to the server cannot be made.
(Device and Simulator)
I tried to command line tool nscurl described here. I get:
Default ATS Secure Connection: CFNetwork SSLHandshake failed (-9806)
Allowing Arbitrary Loads: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813) ("The certificate for this server is invalid. You might be connecting to a server that is pretending to be “XXX.YYY.ZZZ.WWW” which could put your confidential information at risk.")
Configuring TLS exceptions for XXX.YYY.ZZZ.WWW: (TLS 1.2, 1.1 and 1.0) CFNetwork SSLHandshake failed (-9806)
Disabling Perfect Forward Secrecy: CFNetwork SSLHandshake failed (-9801)
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP: CFNetwork SSLHandshake failed (-9801)
TLSv1.2 with PFS disabled: CFNetwork SSLHandshake failed (-9801)
TLSv1.1 with PFS disabled: CFNetwork SSLHandshake failed (-9801)
TLSv1.0 with PFS disabled: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
TLSv1.2 with PFS disabled and insecure HTTP allowed: CFNetwork SSLHandshake failed (-9801)
...you get the drill.
I am having checked which TLS version the server supports (that is the biggest suspect, as far as I've researched), but perhaps there is something else I need to fix/check on the client side?
I think you need to inspect the cert on your server. You should be able to use the openssl client to investigate your certificate and get your server's ssl config:
openssl s_client -connect XXX.YYY.ZZZ.WWW:9443
You should get some details about the cert
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: //
Session-ID-ctx:
Master-Key: //
Key-Arg : None
Start Time: 1449693038
Timeout : 300 (sec)
Verify return code: 0 (ok)
Or, you can use a website like symantec to query the cert and see if you have met the requirements of TLS1.2, a strong enough key, and forward secrecy.
Also, you could try turning on CFNetwork Diagnostic Logging. Edit the Xcode scheme and add the CFNETWORK_DIAGNOSTICS environment variable. Set the logging level to 3 which is the most verbose:
The Xcode console shows the location of the log file:
CFNetwork diagnostics log file created at: /private/var/mobile/Containers/
Data/Application/A3421F00-451A-CD70-1B82-B163D1A3BB0F/Library/Logs/
CrashReporter/CFNetwork_com.sample.app_118.nwlrb.log
You could look into those logs to see if there is any more information as to why the network calls are failing.
Related
I am trying to login to docker repository using https proxy
i am getting error of
proxyconnect tcp: tls: first record does not look like a TLS handshake
when inspecting the proxy
openssl s_client -connect
CONNECTED(00000003)
139776809346960:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 289 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1646054120
Timeout : 300 (sec)
Verify return code: 0 (ok)
what can cause the issue?
I'm currently developing a React-Native app (first for IOS) and I have to do an API request on a FHIR connector (medical standard). This API uses a TLS certificate generated by the PKI of my state that is by default not trusted by IOS. I added manually the root certificate G1, the second certificate G2, and the certificate of the API URL.
After it, I trusted the Root certificate using this explanation of the apple support : https://support.apple.com/en-us/HT204477
From now I thought that it was ready to be used and I checked with Chrome and now I have the following error: NET::ERR_CERT_VALIDITY_TOO_LONG
I don't have access to the PKI so I can't generate a certificate with a lowest validity time. After some research I found this :
https://support.apple.com/en-us/HT210176
That explains the requirements of certificate TLS to be validated by the OS. I thought that there is no solution except generate a new certificate but I found this :
https://support.apple.com/en-us/HT211025
That explains that the certificate installed manually by a user doesn't have to respect the validity of 398 days.
I'm a bit confuse ...
My certificate validity time is 10 years.
My application React-native work fine with http, but i have the following error with https :
[connection] nw_socket_handle_socket_event [C7:1] Socket SO_ERROR [61: Connection refused]
[connection] nw_connection_get_connected_socket [C7] Client called nw_connection_get_connected_socket on unconnected nw_connection
TCP Conn 0x2835e42c0 Failed : error 0:61 [61]
[native] [GESTURE HANDLER] Initialize gesture handler for root view <RCTRootContentView: 0x106d05890; reactTag: 11; frame = (0 0; 834 1194); gestureRecognizers = <NSArray: 0x280c16640>; layer = <CALayer: 0x280303060>>
Connection 12: default TLS Trust evaluation failed(-9807)
Connection 12: TLS Trust encountered error 3:-9807
Connection 12: encountered error(3:-9807)
Connection 12: unable to determine interface type without an established connection
Task <344A51D7-3F78-47DF-94E4-4A70D6B4E026>.<4> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9807])
Task <344A51D7-3F78-47DF-94E4-4A70D6B4E026>.<4> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<API URL REQUEST>” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
"<cert(0x104814000) s: <API URL CERTIF> i: <CERTIF G2>>",
"<cert(0x104811000) s: <CERTIF G2> i: <CERTIF ROOT G1>>",
"<cert(0x10488d000) s: <CERTIF ROOT G1> i: <CERTIF ROOT G1>>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=<API URL>, NSErrorFailingURLStringKey=<API UTL>, NSUnderlyingError=0x280c36310 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x2830f7330>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x104814000) s: <API URL CERTIF> i: <CERTIF G1>>",
"<cert(0x104811000) s: <CERTIF G2> i: <CERTIF G1>",
"<cert(0x10488d000) s: <CERTIF G1> i: <CERTIF G1>"
)}},
The question is : Am i doing something wrong or is there any way to use this certificate (10 years validity time) for my application ?
Thank you for helping me
If you are using a self signed cert, you have to enable your IOS device to trust it:
For this, open again the iOS Settings app. Then navigate to “General” > “About” > “Certificate Trust Settings”. In the section “Enable Full Trust for Root Certificates”, enable your root certificate. With this, your app can connect now with the self-signed certificate to the backend.
I finally had access to the PKI to generate a TLS certificate with a shorter validity time and this solved my problem. Now the certificate is accepted by IOS.
I strongly think that there is no other solutions.
we recently upgraded our solace VMR to pub sub+, I am trying to configure rest delivery point using SSL. I created a rest consumer and set authentication schema as client-certificate, it is not taking and displaying as none. I did all this from CLI.The ssl settings looks good default cipher and trusted CN. the rest consumer was down with failure reason " Remote SSL handshake failed: sslv3 alert handshake failure"
I suspect solace is not sending certificate when it is trying to connect. Any thoughts on setting Authentication scheme as client-certificate?
Check that the rest-consumer is configured correctly to use SSL, and to authenticate with client-certificate. The CLI commands are:
show message-vpn <vpn_name> rest rest-consumer <rest-consumer_name> authentication
show message-vpn <vpn_name> rest rest-consumer <rest-consumer_name> detail
Also, check that the CA of the remote host certificate is trusted with CLI command:
show certificate-authority ca-name * cert
At the minimum, the root issuer of the remote host certificate must be one of the configured certificate-authorities in that CLI command.
If those check out, ensure that the remote endpoint is indeed requesting client-certificates in the first place. You can check the raw packets on the wire with Wireshark:
Internet Protocol Version 4, Src: <remote-host-ip>, Dst: <solace-ip>
...
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
...
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
...
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
...
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
...
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Then, you should see a client certificate response from the Solace container:
Internet Protocol Version 4, Src: <solace-ip>, Dst: <remote-host-ip>
...
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
...
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
...
Certificates (xxx bytes)
...
Certificate (...,id-at-commonName=...)
2015-11-04 15:17:23.236 Testing[2504:80857] CFNetwork SSLHandshake failed (-9824)
2015-11-04 15:17:23.237 Testing[2504:80858] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
I did a little testing app with only a web view to show contents of this website:
https://ripemobileapps.com
Server supports SSL, TLS v1.2 and has GeoTrust certificate.
Test on https://www.ssllabs.com/ssltest/ gives A- grade SSL.
I really don't know what else can I do to open it. If I try to open https://www.google.com it works fine. For sake what else apple demands?
Use the nscurl command provided to test this. It will test all ATS settings.
nscurl --verbose --ats-diagnostics https://ripemobileapps.com
I have setup nodejs for SSL with certificates from ssls.com. When I run tests from the browser my certificates are found and things seem okay (excepting a couple of vulnerabilities are shown). I'm using sites like:
https://www.sslshopper.com/ssl-checker.html
https://www.ssllabs.com/ssltest/analyze.html
Notwithstanding I'm having trouble getting my IOS app to connect using a websockets library.
When I run this new diagnostic command:
nscurl --ats-diagnostics https://<mydomain.com> I get
nscurl[4714:325661] CFNetwork SSLHandshake failed (-9806)
nscurl[4714:325661] NSURLSession/NSURLConnection HTTP load failed
(kCFStreamErrorDomainSSL, -9806)
The more detailed log file doesn't seem to give much more info:
Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)"
UserInfo={_kCFStreamPropertySSLClientCertificateState=0,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}
Any ideas?