iOS app SSL handshake failed - ios

I am making an app to login to an aspx website over HTTPS by passing login credentials in a post method. When checking the response using Charles Proxy I can see a SSL Handshake failed error from seal.verisign.com, I am then taken back to the login page. I am not sure what I need to do to solve this issue.
I am testing this in the iPhone simulator.
I do not have access to the server implementation.
Any ideas?
Thank you!

On iOS >= 10.3, after installing the Charles Proxy certificate (as per #ashish-verma's excellent answer), you also need to enable it through Settings -> General -> About -> Certificate Trust Settings:
Full setup here: http://www.devsbedevin.net/debugging-ios-ssl-traffic/

If installing the certificate still doesn't help you, then it may be due to SSL Pinning.
From charlesproxy.com:
SSL Pinning
Note that some apps implement SSL certificate pinning which means they specifically validate the root certificate. Because the app is itself verifying the root certificate it will not accept Charles's certificate and will fail the connection. If you have successfully installed the Charles root SSL certificate and can browse SSL websites using SSL Proxying in Safari, but an app fails, then SSL Pinning is probably the issue.

Perhaps testing on an actual device will give more insight?
To do that in Charles:
Goto Proxy: Proxy Settings...
Proxies tab: Enter "8888" in the HTTP Proxy port: field
SSL Tab: make sure the "Enable SSL Proxying" is on
On your dev machine:
Goto System Preferences: Network: Wifi: Advanced: TCP/IP Tab: Make note of the IPV4 Address: (i.e. 10.0.1.101)
On your iDevice:
Goto http://charlesproxy.com/charles.crt from your device and download Charles SSL certificate
Okay the certificate as trusted (be sure to disable or remove it once you're done)
Goto the Settings App: Wifi: Select the detailed disclosure button (round blue button with the white arrow) for your network
Under HTTP Proxy, select "Manual"
Enter in the address from step (dev machine 1.) into the Server field, and the port number from step (charles 2.)
Finally:
Restart Charles
Run Safari on your iDevice to test. This should prompt Charles to display a dialog box to allow or deny SSL proxying. Obviously allow and you should be good to go.
More Info at Charles's site: http://www.charlesproxy.com/documentation/proxying/ssl-proxying/
Also, are you getting a response to the connection:(NSURLConnection*)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge*)challenge method?

You need to install SSL certificate to resolve this issue.
Follow these steps
Open Safari browser on iOS Simulator
Type "www.charlesproxy.com/getssl" in address bar
Install the SSL certificate
Restart Charles Proxy

It is possible that the server doesn't have a valid certificate for the url you are using.
Did you check that?
If you try the url using a browser, does it give you a warning?

You have to install SSL certificate on mobile device.
Search online for how to install SSL certificate for Charles Proxy.

Remove all old user credentials, then Re-Install new ssl certificate.

If running on the simulator, just restart both Charles Proxy and the simulator, making sure Charles Proxy starts first

Related

Getting SSL handshake failed for Charles Proxy certificate on iOS even after granting full trust

I am constantly getting
SSL handshake with client failed - Remote host terminated the
handshake
error in Charles Proxy from iOS 16.1, which should indicate that certificate isn't trusted, but I granted full trust in the iPhone settings.
Here are steps to reproduce:
Download and install Charles Proxy on macOS and enable SSL Proxying. HTTP proxy port is set to 8888
On iPhone, in wifi settings enable manual proxy and enter the computer's IP and port 8888
Then dialog will appear in Charles Proxy on which need to click "Allow"
On iPhone go to chls.pro/ssl in order to download the certificate
In iPhone's settings install a new profile with a certificate.
Then in Settings -> General -> About -> Certificate Trust Settings set the switch for the certificate to on.
I can see requests in Charles Proxy but they all are with SSL handshake error. Also, Safari on iPhone returns the error "This Connection Is Not Private"
Can someone explain what am I doing wrong?
Here is the screenshot from the Certificate Trust Settings.
Finally, I found the problem. In my case, it was an expired certificate. In order to fix it, it is necessary to go to Help -> SSL Proxying -> Reset Charles Root Certificate.... It will generate a new one. Then it is needed to install it and grant trust to it.
I wasn't noticing it because before I was working only with Android and it didn't check if a certificate was expired, unlike iOS.
Because I wasn't been able to find any troubleshooting checklist for similar situations I will mention it here. Hopefully, it will help somebody:
Make sure that Enable SSL Proxying is enabled in Proxy -> SSL Proxying Settings...
Check that the Exclude list doesn't contain the locations that you are trying to record.
Check that Proxy -> Record Settings doesn't have unneeded excludes or includes
Check if your target device is connected to the same wifi point as a computer.
Check if the wifi proxy on the target device is enabled.
Check if the wifi proxy on the target device is working. It is possible to check by entering incorrect proxy IP and trying to access the internet through a browser. If the proxy is working there will be no access to the Internet. (Note: at the time of writing this answer some iPhones with iOS 16 do have not a working proxy. More info here)
Check if the proxy is configured with the correct IP and port
Check if the target device has Charles's certificate installed
Check if the target device trusts Charles's certificate
Check if Charles's certificate isn't expired. If it is, go to Help -> SSL Proxying -> Reset Charles Root Certificate... and reinstall the certificate.
(for Android) Check if the target app has network_security_config.xml referenced in AndroidManifest.xml

Getting 200 Connection established in Charles but not able to see the response content for Https

Tried setup the Charles certificate from different blogs and can see the certificate is installed in device but getting 200 Connection established instead of proper response of Traffic
I had to do few extra steps to make Charles work in my Mac+iOS setup
If you are getting this error that mean you already have tried installing certificate. let's try reinstalling them once
Step 1 : Remove all exiting certificate
Settings > General > Profiles
Check the certificate list for name starting with Charles Proxy CA
Click on the Charles certificate and Remove one by one using Remove profile option
Step 2 : Install new Charles certificate
2.1 : Charles (from Mac system) Documentation -> Help -> SSL Proxying -> Install Charles root certificate on a Mobile Device or Remote browser
Capture the IP and Port details
2.2 : Go to iOS device -> Settings ->Wi-Fi -> Click on the Connected network -> Select Configure Proxy in HTTP Proxy option -> Add IP in Server and Port as 8888 with Authentication off in device
2.3 : Open safari and browse chls.pro/ssl
Download the Certificate and install
2.4 : trust certificate in Settings > General > Profiles
2.5 : Toggle on the General > About > Certificate Trust Settings
Now, restart Charles. You should be able to see the traffic in Charles
Please make sure you follow the guideline to install the certificate and trust it on your iOS devices.
Majority people often forget trusting the Certifiacte in Setting app -> General -> About -> Certifiacte Trust Setting -> Switch ON on the certificate.
Proxyman has a built-in guideline that facilitates it.
Disclaimer: I create this app and hopefully it helps you to solve your problem.

Why https request fails on Charles Proxy if SSL proxying is turned on

I have installed and configured Charles proxy in my mac.
I am able to browse all http sites and see the requests in Charles but I am not able to browse https sites I get unable to connect
Safari cannot open the page because it could not establish a secure
connection.
I have installed the SSL certificate as it is mentioned in Charles but all the https connections are failing
If you are on iOS 10.3 or later, open the Settings.app and navigate to General > About > Certificate Trust Settings, and find the Charles Proxy certificate, and switch it on to enable full trust for it
Now you should be able to access SSL websites with Charles using SSL Proxying.
Look into iOS Devices section in the Charles SSL documentation for reference
I had to do few extra steps to make Charles work in my Mac+iOS setup
The device which I was using was the shared between team and had multiple certificate installed for Charles, to solve the issue I tried fresh install of the certificate and it worked
Step 1 : Remove all exiting certificate
Settings > General > Profiles
Check the certificate list for name starting with Charles Proxy CA
Click on the Charles certificate and Remove one by one using Remove profile option
Step 2 : Install new Charles certificate
2.1 : Charles (from Mac system) Documentation -> Help -> SSL Proxying -> Install Charles root certificate on a Mobile Device or Remote browser
Capture the IP and Port details
2.2 : Go to iOS device -> Settings ->Wi-Fi -> Click on the Connected network -> Select Configure Proxy in HTTP Proxy option -> Add IP in Server and Port as 8888 with Authentication off in device
2.3 : Open safari and browse chls.pro/ssl
Download the Certificate and install
2.4 : trust certificate in Settings > General > Profiles
2.5 : Toggle on the General > About > Certificate Trust Settings
Now, restart Charles. You should be able to see the traffic in Charles

Access Development server with self-signed SSL Certificate

My app needs to connect to an internal web server through https.
The server has a self-signed certificate that is valid until next year:
I have installed this certificate in the iOS Simulator and on the device (Certificate.cer):
I am watching the traffic with Charles and the request does not even "leave" my computer.
The problem seems to be due to the SSL Certificate because when I can access the server through the internal url and the port 8080 everything works fine.
I did try the hack with the category allowsAnyHTTPSCertificateForHost:. This did not work in the simulator as well as on the device.
There seems to be official API to do this: How to use NSURLConnection to connect with SSL for an untrusted cert?
However, since this is only my development environment I would prefer not to change my code base for now. Plus I am using a framework to parse my data and I might have to deeply interfere with that framework to get to the API described above.
So my question is, should it not be possible to install the certificate and then use the server as if there was an official SSL certificate.
Email the self-signed certificate to yourself then open it on your iPhone. You will be taken through the steps to install the certificate on your phone.

Fiddler - Capture and decrypt HTTPS traffic from iPad app

I'm trying to monitor the HTTPS requests/responses for my iPad app using Fiddler. I have a Windows 7 PC running Fiddler and have configured the HTTP proxy on my iPad to point to the PC using port 8888. This works fine and the CONNECT tunnel messages and 'ClientHello' handshakes can be seen in the capture log. However as soon as I enable the 'Decrypt HTTPS traffic' option in Fiddler, the app is blocked from connecting to the server. I've tried installing the Fiddler root certificate on the PC, and I also installed the certificate on my iPad by exporting the certificate to a URL and pointing Safari to the URL on my iPad which then installed it. This hasn't made a difference. Do I need to do something with the SSL certificate installed at the server running my web service?
Download the Fiddler Add-on for iOS/Android then visit http://[proxyip]:[port]/ using your phone browser. You can generate/download your working certificate from there.
And
Turn on your fiddler certificate at Your iPhone Setting -> General -> About -> Certificate Trush Settings
You may not have completely installed the Fiddler certificate.
Email the fiddler certificate to your iPad. Open the email and then open the certificate. iOS will prompt you to trust the certificate, and then install it.
If it is installed correctly, you will have a new iOS setting under Settings->General->Profile called DO_NOT_TRUST_Fiddler. That setting is your installed certificate.
Once the certificate is installed - Fiddler will be able to show you your HTTPS traffic.
I try to open https://github.com for testing. And I have done as Josh said(Install the certificate through email). But I came across "Safari cannot open the page because it cannot establish a secure connection to the server". When I close http proxy, https;//github.com shows up well.
Install "CertMaker Add-on" from this article and try again everything you described in your question - it will work okay.

Resources