This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
I have a Ruby on Rails app that uses SSL. I run the server using thin start --ssl. Every time I launch the server and access the app, I get a warning saying that the SSL certificate is not verified. That is not a problem as long as I stay in Rails. However, my app also has an API and I am developing an iPhone client app for it. When I do a request from the iphone app to the local Rails server, I get the following error:
2013-03-24 12:30:09.680 OAuth2Test[44541:c07] Error: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk." UserInfo=0x8832730 {NSErrorFailingURLStringKey=https://oauth.lvh.me:3000/oauth/authorize?client_id=23b8921e8db833a33ac7a058b93183a1496f56a6eea4f6c597291106f80a37d0&redirect_uri=https%3A%2F%2Fcatapultcentral.com%2FiOSClientCallback&response_type=code, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=https://oauth.lvh.me:3000/oauth/authorize?client_id=23b8921e8db833a33ac7a058b93183a1496f56a6eea4f6c597291106f80a37d0&redirect_uri=https%3A%2F%2Fcatapultcentral.com%2FiOSClientCallback&response_type=code, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk., NSUnderlyingError=0x8944cd0 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk.", NSURLErrorFailingURLPeerTrustErrorKey=}
In my opinion, the key part of this error is: "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oauth.lvh.me” which could put your confidential information at risk.". By the way, I test my iPhone app in the iPhone Simulator.
So, if I am correct, there are three solutions to this problem:
Deploy my API to the staging server and develop the iPhone app against that. At the moment, all the API-related code is not deployed, and I'd rather not deploy it until it is in a stable state. So that is not an option.
Develop the iPhone app in a certain way so that it doesn't verifies the SSL certificate. I do not like this approach and I don't even know how to do it...
Get a local verified SSL certificate (fake the verified state or something). I don't know how to do that but that seems like the best option.
I tried to follow a tutorial on how to generate a self certified SSL certificate and then run the Rails server with thin start --ssl --ssl-verify --ssl-key-file server.key --ssl-cert-file server.crt but that didn't work (the created SSL certificate is still not verified).
So how can I solve my problem please?
You should create a root CA and use it to create your SSL certificates, and add that root CA to your iPhone.
Related
I'm trying to connect my IOS app with my python backend. The data I'm trying to fetch is on a server with a self signed SSL certificate. But every time I try to fetch the data, I get this error: NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “serverName.com” which could put your confidential information at risk.}) DataTask error: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “serverName.com” which could put your confidential information at risk.
Does anyone know what might be causing this error? Or how to resolve it?
My app fetches resources from AWS bucket (accessed thru a cloudfront).
Some of the users fails to fetch the data due to
NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."
As we use AWS service I assume that the SSL certificate is fine, the fact that it happens to a small (but not small enough) portion of the users should say that the SSL certificate is OK.
Any other post I saw about this issue suggested to add a flag to App Transport Security Settings in info.plist file that will allow unsecured connection. This is not something I can (or want) to do.
Thanks for the help :)
This might happen if you're using a VPN.
But will also happen if you're using a proxy tool like Charles Proxy but haven't installed/trusted the Charles Proxy certificate.
It also happened to me when I was on a public wifi network. It seemed that some how the public wifi was doing some sort of a MITM to maybe add some ads. I didn't face the same problem when I was using LTE or a non-public wifi
I found this solution from the Apple Developer Forums which does not involve modifying the App Transport Security Settings:
And you shouldn’t need an ATS exception in your scenario. The
approach I recommend is as follows:
Set up a custom certificate authority (CA) within your organisation (many organisations already have this).
Have it issue a certificate for your private server.
Use MDM to install your organisation CA’s root certificate on your devices.
getting an intermittent SSL error on iOS.
I've turned off ATS, and we know this happens on OS versions < iOS9 as well
Error Domain=NSURLErrorDomain Code=1011 "An SSL error has occurred and
a secure connection to the server cannot be made."
UserInfo={NSLocalizedDescription=An SSL error has occurred and a
secure connection to the server cannot be made.,
NSLocalizedRecoverySuggestion=Would you like to connect to the server
anyway?, _kCFStreamErrorCodeKey=-9806 NSErrorFailingURLStringKey=, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x1471b600
from our crittercism logs, seems like some users are able to replicate this. but we have not been able to
Would you like to connect to the server anyway?<-- this makes me suspect that there was an authentication challenge. how can i verify that?
kCFStreamErrorCodeKey=-9806 <-- does anyone know what this error means?
Edit:
-9806 means errSSLClosedAbort
http://www.opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/Security/SecureTransport.h
what can cause this? i don't think this is due to a spotty network because from our tracking tools, SSL connections to other hosts seem ok. and when a user hits this issue, it is re-produceable. seems to me like we need to inspect the failure with wireshark to get further information. but we have not been able to re-produce this. does anyone have ideas logging more information from apps in the wild to debug this?
The server SSL certificate is failing the built-in certificate validation. It is up to you to decide how to handle this and present a correct remediation to the user. This can happen for many reasons.
SSL trust evaluation is described in detail in Technical Note 2232: SSL Trust Evaluation.
I've had similar errors in a few scenarios:
The server was getting accessed via https://www.domainname.com instead of https://domainname.com (note the "www.") in which case because of how I signed the cert was making it invalid. (I later found how to make the cert valid for both addresses and used the virtualHost and htaccess to always push to www.jeremiedaigle.com)
I had a load bearing server which was improperly setup. One of the servers had the cert, the other didn't.
Last, I have also encountered this issue when debugging and trying to use a self signed cert because I was using a proxy (CharlesProxy) middleman to debug my requests. the Middleman cert, in this case had to be trusted by the device. You can do this by sending the cert via email and opening it on the device.
How do I install a certified TLS certificate on an iOS app?
I assume there also needs to be the ability to send a new certificate over the network to the app in the future, if need be, and how exactly would that work?
I assume once it's installed that Apple will handle the entire handshake process of the device side?
Had some trouble finding explicit answers to these questions online.
Assuming that what you are describing is a signed SSL certificate for your domain name, the only thing you will need to do is install it on your web server. When your application makes a request to your web server, the server will send the certificate to the client during the initial HTTPS handshake, and the client will verify it automatically.
I have this setup:
A tomcat server configured to use ssl client certificate authentication (clientAuth=true)
An ipad with a valid client certificate installed on it (emailed as a .p12 file and visible under profiles)
When browsing via ios safari, the ipad uses the client cert and authenticates against the server fine.
However in code, using a NSURLConnection, it won't connect. Debugging on the server shows the client isnt sending and cert at all.
On the client I get an error like this:
Request(https://192.168.1.5:8443/device/security/policy>, 0, 0)) didFailWithError:Error Domain=NSURLErrorDomain Code=-1205 "The server “192.168.1.5” did not accept the certificate." UserInfo=0xe2eae30
{NSErrorFailingURLStringKey=https://192.168.1.5:8443/device/security/policy>, NSErrorFailingURLKey=https://192.168.1.5:8443/device/security/policy>, NSLocalizedDescription=The server “192.168.1.5” did not accept the certificate.,
NSUnderlyingError=0xe2eb250 "The server “192.168.1.5” did not accept the certificate.", NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0xe6ab010>}
I understand I can implement the delegate method for the challenge for the NSURLAuthenticationMethodClientCertificate protection space, but if I do that I dont have the certificate to send, its installed on the device and that isnt accessible via code (is it??)
I tried calling [challenge.sender performDefaultHandlingForAuthenticationChallenge:challenge] but that appeared to have no effect.
I was expecting that NSURLConnection would behave as per safari and access the installed certificate, but it appears not. I dont want to have to install the certificate into my app somehow - thats what the built in certificate management is for!
Or am I missing something? Any help appreciated.
Fundamentally you can't get at globally installed certificates from within an app in iOS (as of iOS 8), and the operating system won't help you out by sending them with an NSURLConnection. Safari has special rights to access the certificates. So the only way to use them from within an app is to install them into the app somehow, which makes the whole thing difficult.