Random SSL errors in iOS 8.1. (NSURLErrorDomain:-1200) - ios

In iOS 8.1 we are getting random SSL errors.
There is no issue at the sever and it seems like iOS device issue. AWS support has checked the SSL configuration and the certificate in server, but didn't find any issue.
Error message is this - "An SSL error has occurred and a secure connection to the server cannot be made. (NSURLErrorDomain:-1200)". We are using NSURLConnection to make network connections.
Many of our users started getting this error recently and all were in in iOS 8.1. Is this a known bug?

I have exactly the same issue with iOS8.1 user on my website
on the server side, i have this error :
No hostname was provided via SNI for a name based virtual host
it seems that iOS8.1 doesn't support very well SNI.
The workaround is to configure your webserver tp accept client that doesn't support SNI and set the virtualhost and certificate you want "no SNI client" to be show by default for any all SSL virtualhosts
In apache you have to add :
NameVirtualHost *.443 #before the first SSL virtualhost which will have the default certificate.
SSLStrictSNIVHostCheck off # in this default virtualhost.
Sorry for my english (i'm french) and hope it will help

Related

iOS App Fails ATS system trust when https is enabled

I have an iOS App that I am compiling in Xcode 11.2.1. I am running MacOS Catalina 10.15.6.
My app consumes a Web Service that works fine when called unsecured over http.
I am now busy implementing security and we have bought a wildcard certificate from digicert and installed it on our API server. I have run the SSLLabs Server Security Test and the server gets an A-grading so all seems fine. We have updated the Android version of the app to use https instead of http and it is working fine. When I access the https endpoints from a browser it works fine and I don't get any security warnings or errors.
However, if I change from http to https and build and run the iOS App I get TLS errors. (I am calling the web service using URLSession and I am using Swift). I am putting a relevant section of the error log below to show the -9802 and -1200 errors I am getting.
ATS failed system trust
Connection 1: system TLS Trust evaluation failed(-9802)
Connection 1: TLS Trust encountered error 3:-9802
Connection 1: encountered error(3:-9802)
...
finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600001082b50>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
I found https://support.apple.com/en-us/HT210176 and I was wondering if it is perhaps an issue that the "Subject Alternative Name" in our cert is our wildcard domain "*.domain.com" whereas the url we are connecting to is "myapi.domain.com". Could that be the problem? What else could I be missing?
In case someone else stumbles upon this...we ended up adding the specific subdomain we're calling in the API from our app to the "Subject Alternative Names" field on the certificate. So instead of just having "*.mydomain.com" in the Subject Alternative Names, we included both "myapi.domain.com *.mydomain.com". After we deployed this certificate to the server and we again tried calling myapi.domain.com from our app, the error went away and everything worked. (For those worried that this requires the purchase of a new certificate...it doesn't. It's quite possible to get such a copy of your certificate without having to buy a different one. Just check the documentation of the certificate issuer you are using.)

Capturing SSL netowork dat with charles proxy with iOS

I had set up charles to intercept proxy http traffic and now, trying to intercept https traffic. I am using charles 3.11.2 and device with iOS 9.2. I have installed charles root proxy on the system and also installed on the iOS device. I have enabled ssl interception for all pages with wild card "*". When I go to safari and hit a secure webpage, I get There was a problem communicating with the secure web proxy server(HTTPS).
In my charles window, I get the error, SSL: Unrecognized SSL message, plaintext connection? and notes stating Exhausted available SSL/TLS protocols, trying with everything enabled.
Is there any thing which I am misssing?
Make sure Charles is running with an up-to-date JVM. I had this same issue and the problem was I had JAVA_HOME set to a Java 6 JRE. Updating the environment to use Java 8 fixed the issue.
Refer the answer here: Cannot see iOS simulator traffic with charles proxy
Ensure that ATS is present for debug builds as commented in the shared thread

Access Development server with self-signed SSL Certificate

My app needs to connect to an internal web server through https.
The server has a self-signed certificate that is valid until next year:
I have installed this certificate in the iOS Simulator and on the device (Certificate.cer):
I am watching the traffic with Charles and the request does not even "leave" my computer.
The problem seems to be due to the SSL Certificate because when I can access the server through the internal url and the port 8080 everything works fine.
I did try the hack with the category allowsAnyHTTPSCertificateForHost:. This did not work in the simulator as well as on the device.
There seems to be official API to do this: How to use NSURLConnection to connect with SSL for an untrusted cert?
However, since this is only my development environment I would prefer not to change my code base for now. Plus I am using a framework to parse my data and I might have to deeply interfere with that framework to get to the API described above.
So my question is, should it not be possible to install the certificate and then use the server as if there was an official SSL certificate.
Email the self-signed certificate to yourself then open it on your iPhone. You will be taken through the steps to install the certificate on your phone.

Worklight adapter connecting to backend over SSL

WL 5.0.6, HTTP adapter, running on Liberty
We want to make simple connection from our adpater to a backend over SSL, the backend team have provided us their certificate.
Our symptom is
FWLSE0101E: Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
We have read the infocenter here but clearly have got something wrong. Steps we took
Used the JRE keystore tool to add the cert to a keystore.
Adjusted the worklight properties to point to the kaystore.
Restarted the WL Server
Any suggestions for how to diagnose or fix?
The issue in this case was that the certificate referenced hosts that were not visible to our DNS server. We worked around this by adding entries to /etc/hosts.

HTTPS request can't verify certificate on iOS Safari

I didn't configure the HTTPS on my domain so I'm not really sure where to start with this warning prompt that I only get on iOS Safari on my iPhone and iPad. I've never gotten this on a desktop with Mac Safari, Chrome, FF, or IE.
Can someone point me to a file on my ubuntu/apache EC2 server or somewhere on the site of my domain provider, GoDaddy, that deals with verifying certificates.
For those on Nginx you need to append the gd_bundle.crt file to your other .crt cert. Just cat gd_bundle.crt >> yourwebsite.crt and restart Nginx.
Tim,
If browsers on desktops are showing the SSL without warning, and the warning you are getting is on a mobile device, the issue is most likely with the intermediate certificate of the Certificate Authority that issued the SSL not being installed properly. I suggest that you contact the issuer of the certificate for help with this and not the host or the domain registrar.
I found the link which solved my problem.
I needed to put BOTH .crt files from GoDaddy into my /etc/apache2/ssl folder on my apache EC2 server and add the following to my /etc/apache2/httpd.conf file:
SSLCertificateFile /etc/apache2/ssl/mysite.com.crt
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt

Resources