I have setup nodejs for SSL with certificates from ssls.com. When I run tests from the browser my certificates are found and things seem okay (excepting a couple of vulnerabilities are shown). I'm using sites like:
https://www.sslshopper.com/ssl-checker.html
https://www.ssllabs.com/ssltest/analyze.html
Notwithstanding I'm having trouble getting my IOS app to connect using a websockets library.
When I run this new diagnostic command:
nscurl --ats-diagnostics https://<mydomain.com> I get
nscurl[4714:325661] CFNetwork SSLHandshake failed (-9806)
nscurl[4714:325661] NSURLSession/NSURLConnection HTTP load failed
(kCFStreamErrorDomainSSL, -9806)
The more detailed log file doesn't seem to give much more info:
Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)"
UserInfo={_kCFStreamPropertySSLClientCertificateState=0,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}
Any ideas?
Related
I am developing a web service and iOS app that hits the web service on my local machine. At first, I disabled the cleartext errors for interacting with the service, but now I would like to use https so that my development, test, and prod environments are as similar as possible.
I installed my self-signed cert locally, so going to the site directly is using https just fine:
I have followed the instructions to install a cert in the iPhone simulator:
However, when I hit the web service on my local machine that uses this cert, I still get these error in the console:
2020-10-17 09:59:10.891496-0500 cttios[45481:2146304] [] nw_protocol_get_quic_image_block_invoke dlopen libquic failed
2020-10-17 09:59:10.899475-0500 cttios[45481:2146304] ATS failed system trust
2020-10-17 09:59:10.899583-0500 cttios[45481:2146304] Connection 1: system TLS Trust evaluation failed(-9802)
2020-10-17 09:59:10.899744-0500 cttios[45481:2146304] Connection 1: TLS Trust encountered error 3:-9802
2020-10-17 09:59:10.900077-0500 cttios[45481:2146304] Connection 1: encountered error(3:-9802)
2020-10-17 09:59:10.901405-0500 cttios[45481:2146304] Task <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802])
2020-10-17 09:59:10.904343-0500 cttios[45481:2146304] Task <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
"<cert(0x7ff4ce854600) s: cttweb.test i: Homestead homestead Root CA>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://cttweb.test/api/v1/login, NSErrorFailingURLStringKey=https://cttweb.test/api/v1/login, NSUnderlyingError=0x600001123ab0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600002d55cb0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x7ff4ce854600) s: cttweb.test i: Homestead homestead Root CA>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <BE791070-705B-4C7D-A1DB-F57BCF1DFBCE>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600002d55cb0>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
Login api error: An SSL error has occurred and a secure connection to the server cannot be made.
Optional(["task": ["Login api error: An SSL error has occurred and a secure connection to the server cannot be made."]])
I have tried restarting the simulator after installing the cert, same result. What am I doing wrong?
It looks like I may not be trusting the cert even after installing it, but I can't find a way to trust it.
The problem is that I had the website cert installed, but not the CA cert generated for my local web server installed. That was as easy as dragging the CA root cert into Safari on the simulator.
I am using IOS 13.3 and my application stop suddenly after 6 month.
I have checked my certificate and found no issue in certificate.
i am getting the following error.
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9816)
2020-04-17 01:38:14.778140+0530 Example[38000:704335] Task <71350D43-9801-46F2-9F9E-333AF09964CE>.<1> HTTP load failed (error code: -1200 [3:-9816])
2020-04-17 01:38:14.779009+0530 Example[38000:704332] Task <71350D43-9801-46F2-9F9E-333AF09964CE>.<1> finished with error - code: -1200
2020-04-17 01:38:14.782985+0530 Example[38000:704332] Task <71350D43-9801-46F2-9F9E-333AF09964CE>.<1> load failed with error Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://api.example.com:1410/v1.1/users/signin, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, kCFStreamErrorDomainKey=3, NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <71350D43-9801-46F2-9F9E-333AF09964CE>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <71350D43-9801-46F2-9F9E-333AF09964CE>.<1>"
), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://api.example.com:1410/v1.1/users/signin, NSUnderlyingError=0x600002db3d50 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFNetworkCFStreamSSLErrorOriginalValue=-9816, kCFStreamErrorDomainKey=3, kCFStreamErrorCodeKey=-9816}}, kCFStreamErrorCodeKey=-9816} [-1200]
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made.
Here is the screenshot
I'm not sure how to solve it. Any ideas?
You probably need to reconfigure your SSL certificates. I know for TCP/TLS at least, with iOS 13 they imposed more restrictions on the certificates. I created a package to handle sockets on iOS - I also included a lot of good info about making certificates how you need to now.
https://github.com/eamonwhiter73/IOSObjCWebSockets/tree/master
I've been trying to get the iOS simulator to play nice with our internal dev servers.
I've installed the root CA by dragging it to the simulator. It's enabled by default but I toggled it on/off anyway just to be sure.
I connected via safari and got the error in the title. Connected via the app (actually XCTest) and got:
2020-03-30 11:45:53.001800+0300 xctest[20258:5222958] [] nw_coretls_callback_handshake_message_block_invoke_3 tls_handshake_continue: [-9812]
2020-03-30 11:45:53.001 xctest[20258:5222959] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
2020-03-30 11:45:53.004 xctest[20258:5222951] Error in <file/line>: Optional(Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<domain>” which could put your confidential information at risk." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fd53fd12480>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, NSErrorPeerCertificateChainKey=(
"<cert(0x7fd546009200) s: <domain> i: <CA>>"
), NSUnderlyingError=0x7fd541a157e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fd53fd12480>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x7fd546009200) s: <domain> i: <CA>>"
)}}, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<domain>” which could put your confidential information at risk., NSErrorFailingURLKey=https://<url>, NSErrorFailingURLStringKey=<url>, NSErrorClientCertificateStateKey=0})
I've connected from chrome on Mac and it works fine. I actually copied the CA from the mac's keychain to the simulator.
Went over the checklist from https://support.apple.com/en-us/HT210176:
key size = 4096
hash algorithm is SHA-256 RSA
there's a DNS name in the SAN (but also in CN). It says CN names are not trusted but it doesn't say they're not allowed.
There's a value in EKU
It's valid for two years
I've also compared the certificate as presented in Safari iOS to that in Chrome Mac. Looks fine.
Finally, I've installed 10.3 on the simulator just to rule out some new bug/restriction.
Running on Catalina/Xcode 11.4
I'd appreciate help in one of the following:
An actual solution
Help diagnosing this. A link to more up to date requirements or a tool to see why the cert is failing.
My Firebase authentication is not working. Here is the log from the console:
2017-06-02 08:12:18.928 Study M8[67744] <Warning> [Firebase/Analytics][I-ACS003016] Firebase Analytics App Delegate Proxy is disabled. To log deep link campaigns manually, call the methods in FIRAnalytics+AppDelegate.h.
2017-06-02 08:12:19.544 Study M8[67744:2637901] Simulator user has requested new graphics quality: 10
2017-06-02 08:12:19.576 Study M8[67744] <Warning> [Firebase/Analytics][I-ACS005000] The AdSupport Framework is not currently linked. Some features will not function properly. Learn more at https://firebase.google.com/support/guides/analytics-adsupport
2017-06-02 08:12:19.619 Study M8[67744] <Notice> [Firebase/Analytics][I-ACS023007] Firebase Analytics v.4000000 started
2017-06-02 08:12:19.621 Study M8[67744] <Notice> [Firebase/Analytics][I-ACS023008] To enable debug logging set the following application argument: -FIRAnalyticsDebugEnabled (see http://help.apple.com/xcode/mac/8.0/#/dev3ec8a1cb4)
2017-06-02 08:12:19.748 Study M8[67744] <Warning> [Firebase/Analytics][I-ACS032003] iAd framework is not linked. Search Ad Attribution Reporter is disabled.
2017-06-02 08:12:19.755 Study M8[67744] <Notice> [Firebase/Analytics][I-ACS023012] Firebase Analytics enabled
2017-06-02 08:12:20.454 Study M8[67744:2638259] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)
2017-06-02 08:12:20.456 Study M8[67744:2638259] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)
2017-06-02 08:12:20.573 Study M8[67744:2637901] <Firebase/Network/ERROR> Encounter network error. Code, error: -1200, Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x60800004e610 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://play.googleapis.com/log, NSErrorFailingURLStringKey=https://play.googleapis.com/log, _kCFStreamErrorDomainKey=3}
2017-06-02 08:12:20.576 Study M8[67744] <Error> [Firebase/Core][I-NET901017] <Firebase/Network/ERROR> Encounter network error. Code, error: -1200, Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x60800004e610 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://play.googleapis.com/log, NSErrorFailingURLStringKey=https://play.googleapis.com/log, _kCFStreamErrorDomainKey=3}
2017-06-02 08:12:20.577 Study M8[67744] <Error> [Firebase/Analytics][I-ACS901017] Encounter network error. Code, error: -1200, Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x600000052720 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://app-measurement.com/config/app/1:1030084793656:ios:2caba89d2a97a5b1?platform=ios&app_instance_id=7B84A3F451A04EBEAB26BE84DE23D1D4&gmp_version=4000, NSErrorFailingURLStringKey=https://app-measurement.com/config/app/1:1030084793656:ios:2caba89d2a97a5b1?platform=ios&app_instance_id=7B84A3F451A04EBEAB26BE84DE23D1D4&gmp_version=4000, _kCFStreamErrorDomainKey=3}
2017-06-02 08:12:20.580 Study M8[67744] <Error> [Firebase/Core][I-COR000020] Error posting to Clearcut: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x60800004e610 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://play.googleapis.com/log, NSErrorFailingURLStringKey=https://play.googleapis.com/log, _kCFStreamErrorDomainKey=3}, with Status Code: 0
2017-06-02 08:12:28.627210+1000 Study M8[67744:2637901] [MC] System group container for systemgroup.com.apple.configurationprofiles path is /Users/jack.staples/Library/Developer/CoreSimulator/Devices/A86AAB47-B72B-41D0-9FE3-6BAA9F7097ED/data/Containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles
2017-06-02 08:12:28.634587+1000 Study M8[67744:2637901] [MC] Reading from private effective user settings.
2017-06-02 08:12:37.313 Study M8[67744:2638259] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)
2017-06-02 08:12:37.317 Study M8[67744] <Error> [Firebase/Analytics][I-ACS901017] Encounter network error. Code, error: -1200, Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x60800024dc20 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://app-measurement.com/config/app/1:1030084793656:ios:2caba89d2a97a5b1?platform=ios&app_instance_id=7B84A3F451A04EBEAB26BE84DE23D1D4&gmp_version=4000, NSErrorFailingURLStringKey=https://app-measurement.com/config/app/1:1030084793656:ios:2caba89d2a97a5b1?platform=ios&app_instance_id=7B84A3F451A04EBEAB26BE84DE23D1D4&gmp_version=4000, _kCFStreamErrorDomainKey=3}
2017-06-02 08:12:37.324 Study M8[67744:2638259] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)
If anyone has any idea whats going on the help is really appreciated.
Add this lines to your plist file:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
2015-11-04 15:17:23.236 Testing[2504:80857] CFNetwork SSLHandshake failed (-9824)
2015-11-04 15:17:23.237 Testing[2504:80858] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
I did a little testing app with only a web view to show contents of this website:
https://ripemobileapps.com
Server supports SSL, TLS v1.2 and has GeoTrust certificate.
Test on https://www.ssllabs.com/ssltest/ gives A- grade SSL.
I really don't know what else can I do to open it. If I try to open https://www.google.com it works fine. For sake what else apple demands?
Use the nscurl command provided to test this. It will test all ATS settings.
nscurl --verbose --ats-diagnostics https://ripemobileapps.com