cordova https/SSL issue in ios - ios

My cordova app needs to invoke a web services which is running in PHP.
All of the web services url's are "https". I am getting the below error when I tried to run the app with https url in iphone/ipad device.
I tried to debug the app using Safari web Inspector. I am getting below error.
Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “api.xyz.com” which could put your confidential information at risk.
Need some help to resolve this.

Related

iOS App Fails ATS system trust when https is enabled

I have an iOS App that I am compiling in Xcode 11.2.1. I am running MacOS Catalina 10.15.6.
My app consumes a Web Service that works fine when called unsecured over http.
I am now busy implementing security and we have bought a wildcard certificate from digicert and installed it on our API server. I have run the SSLLabs Server Security Test and the server gets an A-grading so all seems fine. We have updated the Android version of the app to use https instead of http and it is working fine. When I access the https endpoints from a browser it works fine and I don't get any security warnings or errors.
However, if I change from http to https and build and run the iOS App I get TLS errors. (I am calling the web service using URLSession and I am using Swift). I am putting a relevant section of the error log below to show the -9802 and -1200 errors I am getting.
ATS failed system trust
Connection 1: system TLS Trust evaluation failed(-9802)
Connection 1: TLS Trust encountered error 3:-9802
Connection 1: encountered error(3:-9802)
...
finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600001082b50>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
I found https://support.apple.com/en-us/HT210176 and I was wondering if it is perhaps an issue that the "Subject Alternative Name" in our cert is our wildcard domain "*.domain.com" whereas the url we are connecting to is "myapi.domain.com". Could that be the problem? What else could I be missing?
In case someone else stumbles upon this...we ended up adding the specific subdomain we're calling in the API from our app to the "Subject Alternative Names" field on the certificate. So instead of just having "*.mydomain.com" in the Subject Alternative Names, we included both "myapi.domain.com *.mydomain.com". After we deployed this certificate to the server and we again tried calling myapi.domain.com from our app, the error went away and everything worked. (For those worried that this requires the purchase of a new certificate...it doesn't. It's quite possible to get such a copy of your certificate without having to buy a different one. Just check the documentation of the certificate issuer you are using.)

Should I put cert at both App Gw and Web App level

I have uploaded cert on azure application gateway but does not have done SSL binding at web app. Do I need to do SSL binding at web app level even I have uploaded cert on App GW?
If you are deploying Azure Web App behind Application gateway, in end to end scenarios you don't need to add auth cert. You can just enable App Service check box.
The reason being if the cert in Web App changes without notice, it will bring down the site. So, you don't need to add the cert to Application Gateway HTTP settings.

Setting in Maximo Anywhere where any url specified for worklight server in build.properties cant be connected anymore through build apps

In summary, I have built the .ipa from a macbook pro and install it into an ipad. The app is installed successfully, but are unable to connect to load balancer url for mobile first.
All url that was specified in worklight server in build.properties are not able to connect anymore (using all apps that was built in offline wifi). This issue happen to both testing and production environment.
Since the build is run in offline wifi, are there are settings or cache or log that store the list of url that wont be connected by apps anymore?
environment:
testing and production: both have jvm url, webserver url and load balancer url which can be use to connect to server mobile first.
Steps in building and running the app:
1) change the build.properties to connect to load balancer url for worklight.
2) turn off wifi so that no adapter and oslc deployed into mobile first server
3) run build all
4) .ipa built and installed into ipad
5) in app setting, it is using the load balancer url.
6) app is launch, but no web resource download and when try to log in, error service is not available shown
troubleshoot for built app:
1) in app setting, tap the use custom url and change the load balancer url to webserver url
2) launch app, and web resource donwload is shown. able to log in
3) repeat step 1 for jvm url.
4) launch app, and web resource donwload is shown. able to log in
Using app from app store.
1) download and install any apps from app store (iOS). changed the custom url in setting to loadbalancer url. app is launch, got web resource download and able to log in.
ps:
1) no redeploy of war file
2) the app from app store works fine before and after the app was build from build server
3) macbook is in offline wifi during build process, so that no oslc and adapter deployed to server
We are running windows and android, but I’ll attempt to help you out and hope for the best. Is SSL configured in both the web server and the load balancer? Also- another thing to change when changing urls is the OSLC and MaxRest URLs in your Maximo system properties.

Phonegap app unable to connect to development server due to untrusted certificate

I am trying to allow an HTML5 app deployed to an iPad via Phonegap to connect to web services provided by my development server. The development server has a self-signed certificate. I was able to export my cert in p12 format (with the private key), and using the iPhone Configuration Utility I was able to create a configuration profile and and install it to my iPad. When I look under General -> Profiles on the iPad I can see my configuration profile, and it says "Verified" with a green checkmark. However, it is signed with a signing certificate generated by the iPhone Configuration Utility that is NOT trusted. I believe this is causing web services to fail.
If I hit web services on a production server everything works fine, because the certificate that server has is verified by a major 3rd party issuer. The only problem is hitting my development server. I am able to hit the development server using the host name that the self-signed certificate was issued for by having my iPad hit a proxy server, which has an /etc/hosts entry that resolves to the correct host name. I can hit this site in Chrome on the iPad so I know that is working. However, Chrome also throws up a warning because the certificate is not trusted. It SHOULD be trusted. This works fine on a laptop computer, or in the iOS simulator (for that I had to import the cert into the simulator). It is only on an actual physical device that it won't work.
Surely this kind of dev setup is typical for iOS apps using web services. Can anyone suggest a course of action? Is there a way to get the signing certificate produced by the iPhone Configuration Utility to be trusted?

Fiddler - Capture and decrypt HTTPS traffic from iPad app

I'm trying to monitor the HTTPS requests/responses for my iPad app using Fiddler. I have a Windows 7 PC running Fiddler and have configured the HTTP proxy on my iPad to point to the PC using port 8888. This works fine and the CONNECT tunnel messages and 'ClientHello' handshakes can be seen in the capture log. However as soon as I enable the 'Decrypt HTTPS traffic' option in Fiddler, the app is blocked from connecting to the server. I've tried installing the Fiddler root certificate on the PC, and I also installed the certificate on my iPad by exporting the certificate to a URL and pointing Safari to the URL on my iPad which then installed it. This hasn't made a difference. Do I need to do something with the SSL certificate installed at the server running my web service?
Download the Fiddler Add-on for iOS/Android then visit http://[proxyip]:[port]/ using your phone browser. You can generate/download your working certificate from there.
And
Turn on your fiddler certificate at Your iPhone Setting -> General -> About -> Certificate Trush Settings
You may not have completely installed the Fiddler certificate.
Email the fiddler certificate to your iPad. Open the email and then open the certificate. iOS will prompt you to trust the certificate, and then install it.
If it is installed correctly, you will have a new iOS setting under Settings->General->Profile called DO_NOT_TRUST_Fiddler. That setting is your installed certificate.
Once the certificate is installed - Fiddler will be able to show you your HTTPS traffic.
I try to open https://github.com for testing. And I have done as Josh said(Install the certificate through email). But I came across "Safari cannot open the page because it cannot establish a secure connection to the server". When I close http proxy, https;//github.com shows up well.
Install "CertMaker Add-on" from this article and try again everything you described in your question - it will work okay.

Resources