I am trying to connect my app to a server using TLS 1.2. The server is using a certificate that has been signed by a self-signed CA certificate that is already installed on the device (I emailed the CA certificate to myself, tapped it. Now it shows up under Settings -> General -> Profiles). This was previously working in my app, but we have changed the CA certificate we're using so I've updated the server's certificate as well. Now I'm getting SSL failures.
The error I'm seeing is errSSLXCertChainInvalid from my call to SSLHandshake on the client. As far as I can tell, the server certificate should be valid. openssl verify -CAfile ca-cert.pem server-cert.pem returns OK, and that ca-cert.pem is the same CA certificate I've installed on the device.
Any ideas? Thanks!
There's some information in apple's documentation regarding this error:
errSSLXCertChainInvalid — The peer has an invalid certificate chain; for example, signature verification within the chain failed, or no certificates were found.
And if you use SSLSetPeerDomainName:
You can use this function to verify the common name field in the peer’s certificate. If you call this function and the common name in the certificate does not match the value you specify in the peerName parameter, then handshake fails and returns errSSLXCertChainInvalid.
I'd suggest uninstalling your device configuration profile, and creating a new one.
Also, it might be a good idea to check if you can access the server without errors from, say, a web browser. This will reveal if there is a problem with the certificate, or just your configuration profile on your iOS device.
Related
I am running a Tomcat server to develop and test a native iOS app. The server is presenting a certificate signed with a private CA. This is Apple's recommendation for test servers rather than using self-signed certificates. I have tested the certificate at sslshopper.com and it shows that the certificate has a CA chain. The root CA certificate has been installed on the simulator.
Initially, without any ATS exceptions, my app gives me the following:
The error is the usual:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
This error is usually the result when the app encounters a self-signed certificate. As I said above, the certificate is not self-signed.
After adding an exception domain to the app's plist, I get this:
This is usually what we see for certificates with an invalid CN. I have verified that the CN is correct in the certificate.
The error is :
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
I couldn't find the error in the Apple docs and finally had to resort to looking it up in the header file. It is as follows:
errSSLNoRootCert = -9813, /* cert chain not verified by root */
Since the chain is present and the root certificate is installed on the simulator, I'm not sure what this error means. I did notice when installing the root certificate that it would not be usable until it was enabled in the Certificate Trust Settings, but the only live content on that pane in the simulator is a link to the Apple developers site. I went to my test site in Safari and was able to access it after confirming the certificate exception. The root certificate profile says that it is verified (green checkmark).
Any help is appreciated.
This ended up being a bug in the iOS certificate manager. The root certificate did not have a CN, which is optional. The CN in the root is not used for any part of the verification function. The lack of the CN was confusing the cert manager and it didn't display it in the certificate management panel. One of the Apple Developer SMEs has filed a bug report.
You need to browse the link within the internal network if you are using internal CA certificate/Private certificate. Anyone browsing from external network he should have the root and the intermediate certificate installed on his/her browser
Also, different browsers and operating system have different procedures. For example, Chrome takes the trust store of the operating system (with the exception of EV certificates) as seen on the Root CA Policy of chromium.
I have an SSL wildcard that my web service uses. My iOS app works with this back end. The certificate expired and my app stopped working.
The SSL is now renewed (godaddy) but my app only works in the simulator. When loaded on an actual device, it's still not liking the SSL.
Here's the error I'm receiving:
NSURLErrorDomain error -1012
How can I fix this and have the device work again with the new SSL?
Thanks for the advice above, but, the fix was needed on the server, as other versions are live now...
so first I checked my certificate was not configured properly on AWS ELB,
the thing is i had to include the certificate chain,
for checking the correct configuration of my SSL I used an app called "SSL detective", and geotrust SSL toolbox,
Now basic cert and cert chain working, no need to change app.
I am working on mobile HTML5 site using HTML5/JQueryMobile and server is in php. I changed sever settings from HTTP to HTTPS but now from my mobile it shows these type of error
[Error] Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “www.example.com” which could put your confidential information at risk.
when using in IPhone 5 with IOs 7.1.2.
How to handle that issue. What things i have to do?
For us this happened with the update to iOS 13. The requirements for trusted certificates changed, so we needed to adjust the certificate.
See the official page of Apple
You are using a self-signed certificate. Thus your iPhone doesn't trust your certificate.
Either add the certificate to your iPhone as a trusted certificate. (recommended)
Or create a official certificate from a trusted authority. (recommended for production usage)
Or make requests and allowing insecure (self-signed) certificates. (not really recommended, but might be the fastest solution)
I got an SSL certificate from OpenSSL (Not the best but free and accepted by chrome). It's used to make a secure payment to Stripe. Everything was working fine in the emulator, but when I loaded the app onto the device I get an error saying that "The certificate for this server is invalid."
Anyone know how to make this work? Looking for a correct solution (I have a feeling that will involve purchasing an SSL cert that's a bit more legit) as opposed to just allowing it a hacky way to just get it to run on the device
Trusted certificates are signed by a certificate authority, so while openssl is good for creating self signed certs to test with, you'll need to purchase a certificate for live use.
If you can install the certificate at both ends (client and server) then you can get away with a self signed certificate. This is basically what happens when you "accept the risk" in chrome.
Did anybody can tell me what's the reason for that Configuration Profile with MDM Payload not getting installed using IPCU.
How to deal with it?
perhaps a bit old but your MDM server url must be a valid HTTPS URL with a cert from a trusted source, self signed certs will not work.
View the console for the device in iPCU. This may help you to track down the cause of your issue.
Self-signed ssl will work and while generating self-signed ssl certificate in server side,generate identity.p12 certificate and this certificate you need to use in identity section of IPCU and see this and this also.
Please verify again.