Develop Reference

SSL failing with Allow Arbitrary Loads = false

As per my requirement i should not make Allow Arbitrary Loads = true. So i set to false.
And i am allowing the trust certificate on my URLsession delegate.
My url : https://sample-app.10.names.io
code :
public func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: #escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
//Trust the certificate even if not valid
let urlCredential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
completionHandler(.useCredential, urlCredential)
}
My error :
Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,
If I make Allow Arbitrary Loads = true, then only its working. But as per my requirement i should not change to true. Any suggestion would be helpful.
Thanks
Update:
I tried this below too :
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>https://sample-app.10.names.io</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow HTTP requests-->
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>

You can use the terminal command
nscurl --ats-diagnostics --verbose https://sample-app.10.names.io
to test your server for ATS compliance.
Doing so reveals that your server only passes when perfect forward secrecy is disabled. It would seem that your server does not support ECDHE ciphers.
You can configure ATS to ignore the perfect forward secrecy requirement by specifying NSExceptionRequiresForwardSecrecy in your ATS configuration exception domains, but really you should patch your server to use newer TLS code. Otherwise it is vulnerable to replay MITM attacks.

If you are actively using Alamofire in your project, I suggest you use the built-in Session that can be configured to use your server trust certificate without much hassle. Here is some code on how it is setup in one of my projects.
class SessionManagerProvider {
// MARK: - State
let hosts: [String]
let disableEvaluation: Bool
// MARK: - Init
init(urls: [URL], disableEvaluation: Bool = false) {
hosts = urls.compactMap { $0.host }
self.disableEvaluation = disableEvaluation
}
// MARK: - Factory
func make() -> Session {
// Configure network client with SSL pinning.
let configuration = URLSessionConfiguration.af.default
configuration.timeoutIntervalForRequest = Constants.Backend.timeoutIntervalForRequest
configuration.timeoutIntervalForResource = Constants.Backend.timeoutIntervalForResource
// Allow more connections than API requests to avoid an issue, when URLSession starts to
// time-out requests when there are too many connections.
configuration.httpMaximumConnectionsPerHost = Constants.maxConcurrentApiCalls * 2
let policies = serverTrustPolicies(disableEvaluation: disableEvaluation)
let securityManager = ServerTrustManager(evaluators: policies)
let sessionManager = Session(configuration: configuration, serverTrustManager: securityManager)
return sessionManager
}
private func serverTrustPolicies(disableEvaluation: Bool) -> [String: ServerTrustEvaluating] {
var policies: [String: ServerTrustEvaluating] = [:]
for host in hosts {
if disableEvaluation {
policies[host] = DisabledTrustEvaluator()
} else {
policies[host] = PublicKeysTrustEvaluator(
performDefaultValidation: true,
validateHost: true
)
}
}
return policies
}
}

IOS - CredStore - performQuery - Error copying matching creds

I am getting the erro below when i try to call the custom API that i have, i am using alamofire
let API_URL = "https://localhost:5001/api"
func registerNewUser(parameters: Parameters) {
let urlString = API_URL + "/register/PostTest"
let url = URL.init(string: urlString)
print("URL: \(url!)")
Alamofire.request(url!, method: .post, parameters: parameters, encoding: JSONEncoding.default, headers: nil).debugLog().responseJSON{ //--> point of failure
response in
if response.result.isSuccess {
print("Success! the request to the API is successful")
let userJson : JSON = JSON(response.result.value!)
print(userJson)
} else {
print("Error \(response.result.error!)")
}
}
}
info.plist file
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>https://localhost</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow HTTP requests-->
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
The Error is:
CredStore - performQuery - Error copying matching creds. Error=-25300, query={
class = inet;
"m_Limit" = "m_LimitAll";
ptcl = htps;
"r_Attributes" = 1;
sdmn = localhost;
srvr = localhost;
sync = syna;
}

Certificate Invalid Issue with Alamofire 4.0

I am trying to consume web services for my iOS app over https. The web server uses a self signed certificate.
When consuming the web service, I get the error “certificate is Invalid”.
FAILURE: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “portal” which could put your confidential information at risk."
I know the best practise is to fix this at the server side to enable a trusted root CA. But as this is a temporary development environment, we are using a self signed certificate.
Since this is ATS issue, I have edited ATS in my info.plist as below.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>devportal</key>
<dict>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
</dict>
</plist>
As the NSException domains doesn’t work with IP and port number, I have created a host entry in my etc/hosts file for the web server IP and consuming it like https://devportal:8443/rest/login instead of consuming it as https://192.22.xx.xxx:8443/rest/login
I have followed alamofire documentation on server trust policies, edited ATS to allow exception domains but nothing worked out for me. I have spent over 3 days on this issue. Am I missing something? Does anybody faced a similar issue? Is there any solution for this? Thanks in advance
I am using almofire 4.0, Xcode 8.0. Below is my code.
class LoginService{
private static var Manager: Alamofire.SessionManager = {
let pathToCert = Bundle.main.path(forResource: "192.22.xx.xxx", ofType: "crt") // Downloaded this certificate and have added to my bundle
let localCertificate:NSData = NSData(contentsOfFile: pathToCert!)!
// Create the server trust policies
let serverTrustPolicies: [String: ServerTrustPolicy] = [
"192.22.xx.xxx": .pinCertificates(
certificates: [SecCertificateCreateWithData(nil, localCertificate)!],
validateCertificateChain: true,
validateHost: true
),
"devportal:8443": .disableEvaluation
]
// Create custom manager
let configuration = URLSessionConfiguration.default
configuration.httpAdditionalHeaders = Alamofire.SessionManager.defaultHTTPHeaders
let manager = Alamofire.SessionManager(
configuration: URLSessionConfiguration.default,
serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
)
return manager
}()
/**
Calls the Login Web Service to authenticate the user
*/
public func login(username:String, password: String){
let parameters = [
"username": "TEST",
"password": "PASSWORD",
]
let header: HTTPHeaders = ["Accept": "application/json"]
LoginService.Manager.request("https://devportal:8443/rest/login", method: .post, parameters: parameters, encoding: JSONEncoding(options: []),headers :header).responseJSON { response in
debugPrint(response)
if let json = response.result.value {
print("JSON: \(json)")
}
}
}
}

I modified my code like below and it worked. I referred Swift: How to Make Https Request Using Server SSL Certificate for fixing this issue.
class LoginService{
private static var Manager: Alamofire.SessionManager = {
// Create the server trust policies
let serverTrustPolicies: [String: ServerTrustPolicy] = [
"devportal:8443": .disableEvaluation
]
// Create custom manager
let configuration = URLSessionConfiguration.default
configuration.httpAdditionalHeaders = Alamofire.SessionManager.defaultHTTPHeaders
let manager = Alamofire.SessionManager(
configuration: URLSessionConfiguration.default,
serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
)
return manager
}()
/**
Calls the Login Web Service to authenticate the user
*/
public func login(username:String, password: String){
// Handle Authentication challenge
let delegate: Alamofire.SessionDelegate = LoginService.Manager.delegate
delegate.sessionDidReceiveChallenge = { session, challenge in
var disposition: URLSession.AuthChallengeDisposition = .performDefaultHandling
var credential: URLCredential?
if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
disposition = URLSession.AuthChallengeDisposition.useCredential
credential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
} else {
if challenge.previousFailureCount > 0 {
disposition = .cancelAuthenticationChallenge
} else {
credential = LoginService.Manager.session.configuration.urlCredentialStorage?.defaultCredential(for: challenge.protectionSpace)
if credential != nil {
disposition = .useCredential
}
}
}
return (disposition, credential)
}
//Web service Request
let parameters = [
"username": "TEST",
"password": "PASSWORD",
]
let header: HTTPHeaders = ["Accept": "application/json"]
LoginService.Manager.request("https://devportal:8443/rest/login", method: .post, parameters: parameters, encoding: JSONEncoding(options: []),headers :header).responseJSON { response in
debugPrint(response)
if let json = response.result.value {
print("JSON: \(json)")
}
}
}
}
You should also configure your plist as below
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>devportal</key>
<dict>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
</dict>
</plist>
Do not enter IP or port numbers in your NSExceptiondomains. It won't
work. If you are trying to connect to a web server with IP address,
map the IP address to a domain by adding a host entry in etc/hosts
file in your mac and then use the domain name in NSExceptionDomains
IMPORTANT: Do not use this code in production as this puts your users
information at risk, by bypassing auth challenge.

Not suggesting for production use-cases
//Use this manager class
class APIManager {
static var Manager: Alamofire.Session = {
let manager = ServerTrustManager(evaluators: ["your endpoint": DisabledTrustEvaluator()])
let session = Session(serverTrustManager: manager)
return session
}()
}
//Call APIs using this manager
APIManager.Manager.request("API")

How to send NSData as parameter in POST method swift

I'm trying to send a PDF file's NSData to server as a parameter in POST method, by converting PDF into NSData and then NSData to String,
let paths = NSSearchPathForDirectoriesInDomains(.DocumentDirectory, .UserDomainMask, true)[0] as NSString
let getPDFPath = paths.stringByAppendingPathComponent("resume.pdf")
let pdfdata = NSData(contentsOfFile: getPDFPath)
let dataString: String? = "\(pdfdata!)"
And uploading as parameter using NSURLSession like this,
let request = NSMutableURLRequest(URL: NSURL(string: "http://someurl/pdf.aspx")!)
request.HTTPMethod = "POST"
let postString = "pdfdata=\(dataString!)"
request.HTTPBody = postString.dataUsingEncoding(NSUTF8StringEncoding)
let task = NSURLSession.sharedSession().dataTaskWithRequest(request) { data, response, error in
guard error == nil && data != nil else { // check for fundamental networking error
print("error=\(error)")
return }
if let httpStatus = response as? NSHTTPURLResponse where httpStatus.statusCode != 200 { // check for http errors
print("statusCode should be 200, but is \(httpStatus.statusCode)")
print("response = \(response)")
}
let responseString = NSString(data: data!, encoding: NSUTF8StringEncoding)
print("responseString = \(responseString)")
}
task.resume()
But it's always giving me Error :
Error Domain=NSURLErrorDomain Code=-1005 "The network connection was
lost." UserInfo={NSUnderlyingError=0x7f8d63f34250 {Error
Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)"
UserInfo={_kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}},
NSErrorFailingURLStringKey=http://someurl/pdf.aspx,
NSErrorFailingURLKey=http://someurl/pdf.aspx,
_kCFStreamErrorDomainKey=4, _kCFStreamErrorCodeKey=-4, NSLocalizedDescription=The network connection was lost.}
Things i have tried:
Restarting Simulator
Reset All settings of Simulator
Same error with Alamofire
Tried different Simulators
App Transport Security is YES in info.plist
Only one PDF file (which is 21kb) gets uploaded, others not

It looks like your App Transport Security settings don't allow you to go to the specified URL.
Insert this in your app's plist file:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>

Since iOS9 you are required to use https only for security reasons. You may edit the Info.plist file and add an exception for your domain.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>yourdomain.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
Read more about App Transport Security here:
https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33

Updating iOS 8 -> iOS 9 (New version of Swift) Causes REST API Issues (401 Error) using Alamofire

After I updated my code from iOS 8 to iOS 9, my alamofire rest calls started giving me 401 errors. The code works perfectly fine in iOS 8 but not in iOS 9.
Thanks for the help.
The fullUrl and token variables are set correctly.
let fullUrl = Config.baseUrl + endpoint
let manager = Manager.sharedInstance
manager.session.configuration.HTTPAdditionalHeaders = [
"Content-Type": "application/json",
"Authorization": "Basic \(token)"
]
manager.request(.GET, fullUrl).response {
(request, response, data, error) in
if let response = response {
print("GET REQUEST: \(response.statusCode)")
print(response.debugDescription)
// print(response.description)
if response.statusCode == 200 ||
response.statusCode == 201 {
let json = JSON(data: data!)
success?(json: json)
}
else if response.statusCode == 403 {
UserInfo.logOut()
failure?(error: .ExpiredToken)
}
else {
failure?(error: .InvalidLogin)
}
} else {
failure?(error: .ConnectionUnavailable)
// self.log(request, res: response, err: error)
}
}
In my info.plist I have also added the code to handle App Transport Security
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
</dict>
Please let me know if there is any confusion with the question.

You might be running into the same issue I had: https://github.com/Alamofire/Alamofire/issues/798
Your URL might return a redirect, in wich case the "Authorization"-Header is not passed along. You can test this when you look at the data sent over the network using Wireshark or a similar tool.
If you don't want to do the network debugging, you can just try the following and see if you're request work.
BTW: You should not use HTTPAdditionalHeaders.
Try this:
// Configure special-handling of redirects (you only need to do this once)
Alamofire.Manager.sharedInstance.delegate.taskWillPerformHTTPRedirection = { session, task, response, request in
var redirectedRequest = request
if let
originalRequest = task.originalRequest,
headers = originalRequest.allHTTPHeaderFields,
authorizationHeaderValue = headers["Authorization"]
{
let mutableRequest = request.mutableCopy() as! NSMutableURLRequest
mutableRequest.setValue(authorizationHeaderValue, forHTTPHeaderField: "Authorization")
redirectedRequest = mutableRequest
}
return redirectedRequest
}
// Your code, slightly adapted
let fullUrl = Config.baseUrl + endpoint
let headers = [
"Content-Type": "application/json",
"Authorization": userData.userAPIKey!,
]
Alamofire.request(.GET, fullUrl, parameters: nil, encoding: .URL, headers: headers)
.response { (request, response, data, error) -> Void in
if let response = response {
print("GET REQUEST: \(response.statusCode)")
print(response.debugDescription)
// print(response.description)
if response.statusCode == 200 ||
response.statusCode == 201 {
let json = JSON(data: data!)
success?(json: json)
}
else if response.statusCode == 403 {
UserInfo.logOut()
failure?(error: .ExpiredToken)
}
else {
failure?(error: .InvalidLogin)
}
} else {
failure?(error: .ConnectionUnavailable)
// self.log(request, res: response, err: error)
}
}

Yes, the possibilities is due to the ATS because iOS 9 and OSX 10.11 require TLS Version 1.2 SSL that enforce you for secure connections between an app and its back
end so you should use HTTPS exclusively. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with
forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain you have to specify this domain in your app's
Info.plist file.
<Key> NSAppTransportSecurity </ key>
<Dict>
<Key> NSExceptionDomains </ key>
<Dict>
<Key> yourserver.com </ key>
<Dict>
<-! Include to allow subdomains ->
<Key> NSIncludesSubdomains </ key>
<True />
<-! Include to allow insecure HTTP requests ->
<Key> NSTemporaryExceptionAllowsInsecureHTTPLoads </ key>
<True />
<-! Include to specify minimum TLS version ->
<Key> NSTemporaryExceptionMinimumTLSVersion </ key>
<String> TLSv1.1 </ string>
</ Dict>
</ Dict>
</ Dict>
if you application needs to connect with unknown hosts you have to configure like this.
<Key> NSAppTransportSecurity </ key>
<Dict>
<-! Connect to anything (this is probably BAD) ->
<Key> NSAllowsArbitraryLoads </ key>
<True />
</ Dict>

I had the same problem, actually the sessionManager.session.configuration.HTTPAdditionalHeaders get overwritten by the requestSerializer when sending the request. So you must set the headers in the requestSerializer, not in the session.configuration.HTTPAdditionalHeaders.
Code that was working on iOS8, but not on iOS9:
sm.session.configuration.HTTPAdditionalHeaders = ["Authorization" : "Bearer \(token!)"]
New code for iOS9
sm.requestSerializer.setValue("Bearer \(token!)", forHTTPHeaderField: "Authorization")

I ran into a similar issue that was fixed by temporarily allowing Alamofire to accept invalid SSL certificates (not for shipped code, but it works until the server is equipped to handle it).
public let alamoFireManager = Manager(
serverTrustPolicyManager: ServerTrustPolicyManager(policies: [
"myserver.com": .DisableEvaluation
])
)
and to use it, call
alamofireManager.request(....
like you would a normal request.