watchOS 7 beta networking gives SSL error

Somehow this certificate is being identified as revoked, and that's where the breakdown is. Try testing this with one of the certificates that exist in the current watchOS 6 Trust Store as a baseline, and then move forward from that point with any custom root or leaf from there.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt, first thank you very much for your kind answer.

I would like if possible some directions to help me understand what you're saying. The code I did is working just fine in watchOS 6.2.8 but failing with watchOS 7 latest beta 7 (with the error above, "An SSL error has occurred and a secure connection to the server cannot be made."). I just want to compare the fingerprint of the certificate I receive to the fingerprint (SHA256 hash) I have in my code. I'm using Alamofire, and this is the code I have in the sessionDidReceiveChallenge:

Code Block 
_sessionMgrDefault.delegate.sessionDidReceiveChallenge = { session, challenge in
    var disposition: URLSession.AuthChallengeDisposition = .performDefaultHandling
    var credential: URLCredential?
    if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
        let host = challenge.protectionSpace.host
        if let serverTrust = challenge.protectionSpace.serverTrust {
            disposition = URLSession.AuthChallengeDisposition.useCredential
            credential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
            let fingerPrints = ["<<<CERTIFICATE SHA256 HASH>>>"]
            for index in 0..<SecTrustGetCertificateCount(serverTrust) {
                let cer = SecTrustGetCertificateAtIndex(serverTrust, index)
                if let certificate = SecTrustGetCertificateAtIndex(serverTrust, index) {
                    let certData = certificate.data
                    let certHashByteArray = certData.sha256()
                    let certificateHexString = certHashByteArray.toHexString().lowercased()
                    if fingerPrints.contains(certificateHexString) {
                        return (disposition, credential)
                    }
                }
            }
        }
    }
    disposition = .cancelAuthenticationChallenge
    return (disposition, credential)
}

Running an analysis on the site SSLabs.com it says that (the certificate is a wildcard "*.<domain>.com.br"):

Code Block 
Issuer	Valid Certificadora Digital SSL OV CA 2018 
Signature algorithm SHA256withRSA
Revocation status	Good (not revoked)
DNS CAA	No
Trusted	No   NOT TRUSTED (Why?) 

NOTE: Someone made a comment on StackOverflow that to be compatible with the ATS requirements, "as soon as you are doing a https:// request, you must ensure, that you meet the ATS-requirements: a valid certificate installed on the server (without wildcard, exactly matching the server's domain name), server supports TLS 1.2 with forward secrecy."

Is this the problem on watchOS 7? The certificate has to be specific to the site and not have wildcard?

Thank you again very much for your kind answer. Best Regards.

In the first part of your question you mentioned:

The same certificate I use on the app on watchOS 6 and it was generated with the openssl command (openssl sclient -connect <SITEURL>:443 </dev/null | openssl x509 -outform DER -out cert.der).

It looks like you are downloading a copy of the server certificate to saving the bytes in your app and using it in your fingerPrints variable.

You then checked the remote certificate and received the following:

Issuer Valid Certificadora Digital SSL OV CA 2018
Signature algorithm SHA256withRSA
Revocation status Good

In the first part of your question you mentioned:

the error is "Code=-67820 "Certificate 2 “Trusted Root CA SHA256 G2” has errors: Certificate is revoked;".

So based on this info something does not add up here; In the first message you have the CA issuer as "Trusted Root CA SHA256 G2," but in your lastest message you have the CA issuer as "Issuer Valid Certificadora Digital SSL OV CA 2018."

My recommendation here would be to iron out the latest certificate chain and validate that everything is good in that chain. Next, if you need to validate the leaf certificate, make sure you have the correct leaf bytes saved locally, and your code is checking against the correct leaf during certificate evaluation in your app.

If you still run into issues with this when watchOS 7 is released, open a TSI and I can help you iron this out. Normally I would just have you open a TSI now, but DTS does not support software that is in Beta.



Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt,

What I do not understand yet is that running on watchOS 6 the code runs OK and connects to the server. If I do it under whatchOS 7 beta it gives me the following error:

Code Block 
PDTask <C109A177-0F66-4F87-876E-F5C104CC47BD>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorClientCertificateStateKey=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataPDTask <C109A177-0F66-4F87-876E-F5C104CC47BD>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=("LocalDataPDTask <C109A177-0F66-4F87-876E-F5C104CC47BD>.<1>",
    "LocalDataTask <C109A177-0F66-4F87-876E-F5C104CC47BD>.<1>"), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802}

What my code does is to save locally in the "fingerprints" array the "Fingerprint SHA256" of the server certificate and at runtime, obtain the server certificate, generate the SHA256 fingerprint and compare it to what I have saved on that variable. And it works OK.

What I would also like to know if there is a need to put some kind of key in a .plist or something... If you discover that something need to be put there I would appreciate. I will follow your advice and continue my tests and wait for the final release. If I discover something or your discover something, please lets use this thread. Thank you again so much for your kind support. 

Best Regards, Marcus.

Marcus,

What I do not understand yet is that running on watchOS 6 the code runs OK and connects
to the server. If I do it under whatchOS 7 beta it gives me the following error:
What I would also like to know if there is a need to put some kind of key in a .plist or something...

Right, this is what we need to get to the bottom of. I do see that you are the ErrorKey refers to "LocalDataTask." Are you hitting the local network here? If so, and you have not already you should add the NSLocalNetworkUsageDescription key and description to your Info.plist.

I will follow your advice and continue my tests and wait for the final release. If I discover something or your discover something, please lets use this thread. Thank you again so much for your kind support.

Yes, if you are still are having this issue when watchOS 7 is released, open a TSI and we will get to the bottom of this.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt, how are you doing?

I asked the infrastructure team of the company and they told me that the certificate they are using on this particular site was incorrectly revoked by the CA, but they still uses it until all apps that connects to this server are updated to use the newer certificates... So, the message:

Code Block 
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorClientCertificateStateKey=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,  NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.

I guess it is correct, but the fact remains that why this message does not appear running on watchOS 6.2.8 but appear when running under the watchOS 7 (final version).

Also do you know how can I force it to connect programmatically bypassing this message on watchOS 7?

Thank you in advance for your kind support. Best Regards, Marcus.

Hi Matt!

If I put this on .plist file it works on watchOS 7. Is this the correct way or there is another way to do this programmatically ?

Code Block 
    <key>NSAppTransportSecurity</key>
    <dict>
      <key>NSExceptionDomains</key>
      <dict>
        <key><DOMAIN></key>
        <dict>
          <!--Include to allow subdomains-->
          <key>NSIncludesSubdomains</key>
          <true/>
          <!--Include to allow HTTP requests-->
          <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
          <true/>
          <!--Include to specify minimum TLS version-->
          <key>NSTemporaryExceptionMinimumTLSVersion</key>
          <string>TLSv1.1</string>
        </dict>
      </dict>
    </dict>

Thank you again in advance. Best Regards.

I asked the infrastructure team of the company and they told me that the certificate
they are using on this particular site was incorrectly revoked by the CA, but they still
uses it until all apps that connects to this server are updated to use the newer
certificates
I guess it is correct, but the fact remains that why this message does not appear
running on watchOS 6.2.8 but appear when running under the watchOS 7 (final version).

Right, this does sound correct from infrastructure standpoint then. As to why this works between watchOS 6.2.8 and watchOS 7 this may be due to changes that landed recently for processing administrator added certificates. (See iOS 13.6 Security section), but that would only make sense if this landed in watchOS 7 and you are dealing with an in-house certificate here. Otherwise this does not apply. Like I mentioned, you could open a TSI here for me to look deeper into this.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com