getting an intermittent SSL error on iOS.
I've turned off ATS, and we know this happens on OS versions < iOS9 as well
Error Domain=NSURLErrorDomain Code=1011 "An SSL error has occurred and
a secure connection to the server cannot be made."
UserInfo={NSLocalizedDescription=An SSL error has occurred and a
secure connection to the server cannot be made.,
NSLocalizedRecoverySuggestion=Would you like to connect to the server
anyway?, _kCFStreamErrorCodeKey=-9806 NSErrorFailingURLStringKey=, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x1471b600
from our crittercism logs, seems like some users are able to replicate this. but we have not been able to
Would you like to connect to the server anyway?<-- this makes me suspect that there was an authentication challenge. how can i verify that?
kCFStreamErrorCodeKey=-9806 <-- does anyone know what this error means?
Edit:
-9806 means errSSLClosedAbort
http://www.opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/Security/SecureTransport.h
what can cause this? i don't think this is due to a spotty network because from our tracking tools, SSL connections to other hosts seem ok. and when a user hits this issue, it is re-produceable. seems to me like we need to inspect the failure with wireshark to get further information. but we have not been able to re-produce this. does anyone have ideas logging more information from apps in the wild to debug this?
The server SSL certificate is failing the built-in certificate validation. It is up to you to decide how to handle this and present a correct remediation to the user. This can happen for many reasons.
SSL trust evaluation is described in detail in Technical Note 2232: SSL Trust Evaluation.
I've had similar errors in a few scenarios:
The server was getting accessed via https://www.domainname.com instead of https://domainname.com (note the "www.") in which case because of how I signed the cert was making it invalid. (I later found how to make the cert valid for both addresses and used the virtualHost and htaccess to always push to www.jeremiedaigle.com)
I had a load bearing server which was improperly setup. One of the servers had the cert, the other didn't.
Last, I have also encountered this issue when debugging and trying to use a self signed cert because I was using a proxy (CharlesProxy) middleman to debug my requests. the Middleman cert, in this case had to be trusted by the device. You can do this by sending the cert via email and opening it on the device.
Related
My app fetches resources from AWS bucket (accessed thru a cloudfront).
Some of the users fails to fetch the data due to
NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."
As we use AWS service I assume that the SSL certificate is fine, the fact that it happens to a small (but not small enough) portion of the users should say that the SSL certificate is OK.
Any other post I saw about this issue suggested to add a flag to App Transport Security Settings in info.plist file that will allow unsecured connection. This is not something I can (or want) to do.
Thanks for the help :)
This might happen if you're using a VPN.
But will also happen if you're using a proxy tool like Charles Proxy but haven't installed/trusted the Charles Proxy certificate.
It also happened to me when I was on a public wifi network. It seemed that some how the public wifi was doing some sort of a MITM to maybe add some ads. I didn't face the same problem when I was using LTE or a non-public wifi
I found this solution from the Apple Developer Forums which does not involve modifying the App Transport Security Settings:
And you shouldn’t need an ATS exception in your scenario. The
approach I recommend is as follows:
Set up a custom certificate authority (CA) within your organisation (many organisations already have this).
Have it issue a certificate for your private server.
Use MDM to install your organisation CA’s root certificate on your devices.
We have developed app iOS app using Xamarin.
It's working well in my test devices. My client is running into an issue of SSL error when he is using cellular connection.
Same app is running perfectly fine when he is using Wifi connection.
I am using Modern HTTP client to make web connection to use native APIs.
I have also tested app in IPV6 environment and it is also working fine.
Settings of App transport security are okay that I have verified. [If error is here then it should come all time irrespective of connection type.]
Issue is at remote end so, I dont have too much opportunity to experiment with various settings, debug and see what is causing this issue.
Having any clue or direction would be really helpful.
Note: Using third party online tools we have verified that our server is ATS compliant and using TLS 1.2
Stacktrace
System.Net.WebException: An SSL error has occurred and a secure connection to the server cannot be made. ---> Foundation.NSErrorException: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=MYURL, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3,
_NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <5C93BDAD-10CE-478B-9D72-5AA02AA84617>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <5C93BDAD-10CE-478B-9D72-5AA02AA84617>.<1>"
), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=MYURL, NSUnderlyingError=0x282ea41e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)"
UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9816, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9816}}, _kCFStreamErrorCodeKey=-9816}
Update
We have updated server instance and that has made this issue random instead of all time producing. Removed HTTP client but still issue is there. We are neither getting steps or situation to produce it all time nor fix.
"I am using Modern HTTP client to make web connection to use native APIs."
This is likely the cause of your problem. This was something that was true several years ago. However Xamarin HttpClient already uses native APIs (you can set that in the project properties), while Modern HTTP client hasn't been updated for years and likely has some problems by now.
Is the connection failing all the time or sometimes? If the latter, then the bottom could help.
I'm not sure if this is the case, might be worth checking. But, we also had a similar issue on some Cellular Providers. What happened was the SIM had no more data (hit the limit), so the Provider would initially allow connection but cut it in the middle. This would show as an SSL error.
In our case, we could not do anything about it since it was the Cellular Provider's specific implementation.
I think we just discovered a bug on iOS 9 (version as of Oct 23rd 2015) when using client SSL certs to talk to a backend API. In common with a lot of REST services, our API generates 4xx error codes to communicate status. One of those is a 403 Forbidden error when a client tries to access paths that a specific client ID is not authorized to access. Note that this HTTP error occurs AFTER the client SSL cert has setup a valid connection & and the client ID has been authenticated.
In iOS 9, this sequence will generate an invalid client SSL error:
FAILED: Error Domain=NSURLErrorDomain Code=-1206 "The server “our.server.here” requires a client certificate."
(note: this a followup to my tweet here: https://twitter.com/ckmaresca/status/657576686318256128 - I figured SO is the place most people will search for this)
It took us days to finally figure out but it turns out that this particular error is generated by Apple's new Application Transport Layer security. Specifically, it seems that if you are using client certs and your backend API generates an HTTP 403 error, ATL believes that the cert is bad and kills the entire transaction.
We know this because we can see in our server logs that the request goes through and executes properly. We've also observed that the socket stays alive trough the request and this error only shows up after the response from the server is received. We also know our client cert works since any path not returning a 403 works with zero errors and changing the HTTP error code to 401 makes this problem go away.
This is problematic for a number of reasons, but mostly because HTTP errors are not SSL errors. The two can operate independently and it's perfectly possible to have a 403 error with a valid client side SSL certificate....
The work around is to change all your 403 errors to something else. I would note that a large number of Oauth1/2 servers will generate various 403 errors, so this might be non-trivial. Alternatively, it might be possible to use a reverse proxy to remap HTTP 403 errors to a different HTTP code - we have not tested this.
We have filed a bug with Apple, but I wanted to give people a heads up so maybe they can avoid banging their heads against a wall like we did for a week....
Thanks to the Sherbit.io enginnering team (specifically Varun & Matt) for debugging this.
I've written a utility app for loading data into shopify through the rest API.
Having a strange error where the api only works when I'm running Fiddler.
Any idea what's going on? I'm sure it's a configuration issue rather than a code issue.
When Fiddler is running web access is through a proxy on 127.0.01:8888.
I'm not advanced enough on SSL to figure this one out. Do you need a self signed certificate to connect to an SSL API.
I found a few posts suggesting setting ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls but that didn't fix it!
>> Do you need a self-signed certificate to connect to an SSL API.
We faced similar issue with our application. If API has any certificate errors (In our case, we are using self-signed certificate), Browser will not allow you to interact with API.
Solution : Install your root Certificate, so that browser will start honoring your self-signed certificate.
>> Having a strange error where the api only works when I'm running Fiddler. Any idea what's going on? I'm sure it's a configuration issue rather than a code issue.
Whenever you enable HTTPs traffic decryption in fiddler (see below image for enabling this setting in fiddler), below things will happen.
Fiddler will automatically install its root certificate
"DO_NOT_TRUST_FiddlerRoot" to Browser's CA list.
Fiddler will use your API's self-signed certificate to decrypt HTTP traffic.
Again fiddler will encrypt same HTTP traffic using fiddler signed
certificate, i.e, for all your API calls will have fiddler signed
certificate
As fiddler signed certificates are trusted by user browser (due to step#a), you will not see any certificate errors.
Hope this information helps you!
Turns out I was setting SSL type to SSL3.
i.e. I had this code
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
and shopify doesn't use SSL3 any more.
Turns out it was nothing to do with installing certificates.
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
I have a Ruby on Rails app that uses SSL. I run the server using thin start --ssl. Every time I launch the server and access the app, I get a warning saying that the SSL certificate is not verified. That is not a problem as long as I stay in Rails. However, my app also has an API and I am developing an iPhone client app for it. When I do a request from the iphone app to the local Rails server, I get the following error:
2013-03-24 12:30:09.680 OAuth2Test[44541:c07] Error: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk." UserInfo=0x8832730 {NSErrorFailingURLStringKey=https://oauth.lvh.me:3000/oauth/authorize?client_id=23b8921e8db833a33ac7a058b93183a1496f56a6eea4f6c597291106f80a37d0&redirect_uri=https%3A%2F%2Fcatapultcentral.com%2FiOSClientCallback&response_type=code, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=https://oauth.lvh.me:3000/oauth/authorize?client_id=23b8921e8db833a33ac7a058b93183a1496f56a6eea4f6c597291106f80a37d0&redirect_uri=https%3A%2F%2Fcatapultcentral.com%2FiOSClientCallback&response_type=code, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk., NSUnderlyingError=0x8944cd0 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk.", NSURLErrorFailingURLPeerTrustErrorKey=}
In my opinion, the key part of this error is: "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk.". By the way, I test my iPhone app in the iPhone Simulator.
So, if I am correct, there are three solutions to this problem:
Deploy my API to the staging server and develop the iPhone app against that. At the moment, all the API-related code is not deployed, and I'd rather not deploy it until it is in a stable state. So that is not an option.
Develop the iPhone app in a certain way so that it doesn't verifies the SSL certificate. I do not like this approach and I don't even know how to do it...
Get a local verified SSL certificate (fake the verified state or something). I don't know how to do that but that seems like the best option.
I tried to follow a tutorial on how to generate a self certified SSL certificate and then run the Rails server with thin start --ssl --ssl-verify --ssl-key-file server.key --ssl-cert-file server.crt but that didn't work (the created SSL certificate is still not verified).
So how can I solve my problem please?
You should create a root CA and use it to create your SSL certificates, and add that root CA to your iPhone.