I was using iOS to connect to a server using a certificate whose CN (commonname) and FQDN (fully qualified domain name) is server.myexample.com. The server certificate was signed by my own Root CA (whose certificate I added to my anchor certs via SecTrustSetAnchorCertificates and verified via the method described here using NSURLAuthenticationChallenge).
With my iOS client, I was attempting to connect my REST service located at: server.myexample.com/Path1/service1, but I kept receiving the following error:
The certificate for this server is invalid. You might be connecting to a server
that is pretending to be “server.myexample.com” which could put your confidential
information at risk.
Error occurred while fetching https://server.myexample.com/Path1/service1: Error
Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid.
You might be connecting to a server that is pretending to be “server.myexample.com”
which could put your confidential information at risk."
I get additional messages with the same info but specifying the errors: NSErrorFailingURLStringKey and NSURLErrorFailingURLPeerTrustErrorKey.
I found that I could also call the service with server.myexample.com/service1 and removed Path1 from my request URL, and the server certificate verification worked correctly. Why is this? I was under the impression that the server only needed 1 certificate, meaning any services it hosts would also be using that same certificate. Maybe you need a separate server certificate per path? I was not aware the paths after the server ip address/domain needed to have their own certificate.
To summarize:
iOS client app with Root CA certificate in the anchor certs
Server server1's certificate signed by Root CA has a CN of server.myexample.com and whose FQDN is https://server.myexample.com.
Server server.myexample.com hosts service1 which can be accessed by web browser via:
https://server.myexample.com/service1 (passes iOS client's authentication of server)
https://server.myexample.com/Path1/service1 (FAILS iOS client's authentication of server)
CA and server certificates were created via OpenSSL
Thanks in advance!
Related
I am trying to setup a remote VPN bridge to a partner router and get this error in connection: Local SSL handshake failed: Server certificate verification failed: self signed certificate in certificate chain.
I have added the cert to the local Solace router as well as added the names to the trusted names list but still not working.
What am I missing here?
This means that you have not installed the public cert of the root issuer of the remote Solace broker server cert.
In general, the trust chain of a SSL cert needs to be established. For example, if the entire of the server cert is like this:
Root > Root > Intermediate1 > Intermediate2 > Server
where > denotes "issue", and the server cert installed on the remote server (in this case a Solace broker) only has this:
Intermediate2 > Server
i.e., it contains the public certs of Intermediate2 AND Server.
Then, the client (in this case the local Solace broker) needs to be able to verify the rest of the chain:
Root
Intermediate1
This is typically known as ca-bundle in most environments. "CA" stands for Certificate Authority. Unlike other OS or browsers, Solace broker does not have any defaults installed. You'll have to install those certs / certificate authorities as per steps done in https://docs.solace.com/Configuring-and-Managing/Managing-Certificate-Authorities.htm.
After iOS 7.1 ,if we want to deploy our Enterprise app over air, the URL for the manifest.plist file has to be HTTPS.
For example:
itms-services://?action=download-manifest&url=https://example.com/manifest.plist
In my server I use a self-signed SSL certificate. When I tap the URL on an iPhone, it says Could not connect to <ip-address> and logs the typical
NSUnderlyingError=0x15d37040 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be `<ip-address>`, which could put your confidential information at risk.
So, I want to know whether I can use the self-signed SSL certificate or not?
If I can, how do I resolve the problem the problem I've encountered?
First have the user install the self-signed SSL certificate on their device. Or use a free verified SSL service.
You will need to have the user install this file https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file
I believe this service provides browser-validated SSL certificates. https://www.startssl.com/?app=1
I am running into a strange error in my iOS client when attempting to connect to an f5 BigIP server via 2-way SSL (HTTPS) - the client is able to verify the server via its certificate only when the server is not requiring a client certificate during the SSL negotiation. The certificate for the Root CA that signed the server and my client certificates is already in my trusted anchor certs list.
Here are the steps in each test that I have attempted, and their SSL negotiation outcomes:
Server does NOT require client cert, client verifies server cert (1-way ssl: client -> server)
Client verifies server certificate (pass)
Client provides its cert to server (unchecked - not required by server)
Connection established, server allows client access
Server requires client cert, client verifies server cert (2-way SSL: client <-> server)
Client verifies server cert (FAIL!!)
Nothing else happens
Server requires client cert, client accepts any server as trusted (1-way SSL: client <- server)
Client does NOT verify server cert (setAllowsAnyHTTPSCertificate:YES - done for testing purposes only)
Client provides its cert to server (pass)
Connection established, server allows client access
Between cases 1 and 2, only the server is changed to require client certs (thereby enabling 2-way SSL), while the client verifies the server cert in both cases. Between cases 2 and 3, the client is changed to accept all server certs while the server requires a client certificate in both cases.
So it appears that I am only able to achieve 1-way SSL in either direction but not 2-way SSL. This is strange because as the initial step where the client verifies the server should happen before the server asks for a client certificate, and therefore produce the same result each time. The error I get from test case 2 is as follows:
The certificate for this server is invalid. You might be connecting to
a server that is pretending to be “server.myexample.com” which could
put your confidential information at risk. Error occurred while
fetching https://server.myexample.com/service: Error
Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is
invalid. You might be connecting to a server that is pretending to be
“server.myexample.com” which could put your confidential information
at risk.
I get additional messages with the same info but specifying the errors: NSErrorFailingURLStringKey, NSErrorFailingURLKey, NSUnderlyingError, and NSURLErrorFailingURLPeerTrustErrorKey.
I don't believe I need a different server certificate for 2-way vs 1-way SSL, or do I?
Thanks in advance!
The problem was that I had the client request in an iRule on the f5 server. I removed this part of the iRule and added the request into the client SSL profile. This appears to work with the iOS client, meaning there is probably something strange with the iOS code since all browsers I have tested work either way I make the request (either iRule or client SSL profile). The iOS app only works with making the request in the client SSL profile.
I installed a GoDaddy issued certificate and getting this error below while calling https with 8181 port. It worked fine with HTTP.
The certificate for this server is invalid. You might be connecting to a server that is pretending to be “my.ip.” which could put your confidential information at risk."
Did restkit error out because i am using IP instead of valid domain name?
If you are connecting via typing https://your.ip:8181/ in your browser, that is the issue.
SSL/TLS certificate for web site contains domain name for which it is issued, and it should match the name typed in address bar.
I'm using the acegi security plugin and I run the app -https. The cert is generated but I get a certificate warning when i visit the web page. I have then download the weak ssl plugin and added weakssl.trustAll =true to Config.groovy. But still getting the same warning. Have I left out anything?
The warning is normal. You can just accept the self-signed certificate. The weakssl module allows the Grails server to trust itself even if it provides a self-signed certificate. It has no effect whatsoever on the client. (Think what a horrible security hole it would be if you could just install some code on the server and get a client to accept a self-signed certificate without a warning!)
To solve your problem you need to either
manually tell your browser the certificate is OK by adding the certificate to your truststore
or
get a certificate from a trusted CA (Certificate Authority) a list of trusted CAs is stored in your browser. To get a certififate from a CA you need to proof your identity and pay (a lot) some money.
so I recommend you just accept the untrusted certifcate unless you want to buy a CA certificate.
The config you changed tells only the server to accept all certificates. i.e. if your server is connecting to another server