I am connecting a server through my ios app and the server has a valid certificate from digicert and tls version 1.2 but the requests return “Certificate is invalid” error? what is the reason of this error and how could i pass this?
this is the server https://webrtc01.defandmute1.tedata.net/
I can’t connect to your server at all. This following just never comes back:
% openssl s_client -connect webrtc01.defandmute1.tedata.net:443
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
I added screenshots for the response from the server as it is restricted to be working only in Egypt
the server … is restricted to be working only in Egypt
Well, that makes it hard.
I added screenshots for the response
Screen shots are problematic because I can’t reliably copy’n’paste from them. Please repeat this test and post the result as a code block. Or, if it’s too long, put it into a text file and attach that.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Thanks for that. Unfortunately I need some extra info from you. Please repeat what you just did, but this time include the -showcerts argument.
Also, I’d like to rule out an ATS issue here. Try this:
Create a tiny HTTPS client with Network framework. There’s some code you can use below.
Run it against example.com to confirm that it’s working.
Then run it against your server.
Is it able to connect?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
IMPORTANT The following code is for hack-ish testing only. It’s not meant to be a real HTTPS client. HTTP/1.1 is way more complex than this test client suggests.
class TinyHTTPSClient {
init(host: String) {
self.host = host
self.connection = NWConnection(host: .init(host), port: 443, using: .tls)
}
let host: String
let connection: NWConnection
func run() {
let request = """
GET / HTTP/1.1\r
Host: \(self.host)\r
Connection: close\r
\r\n
"""
self.connection.send(content: Data(request.utf8), completion: .contentProcessed({ error in
if let error {
print("did not send, error: \(error)")
} else {
print("did send")
}
}))
self.startReceive()
self.connection.start(queue: .main)
}
func startReceive() {
self.connection.receive(minimumIncompleteLength: 1, maximumLength: 2048) { content, _, isComplete, error in
if let content {
let prefix = (content.prefix(16) as NSData).debugDescription
print("did receive, count: \(content.count), prefix: \(prefix)")
}
if isComplete {
print("did not receive, EOF")
return
}
if let error {
print("did not receive, error: \(error)")
return
}
self.startReceive()
}
}
}
Hi,
When i added -showcerts option this is the response
openssl s_client -connect -showcerts webrtc01.defandmute1.tedata.net:443
unknown option webrtc01.defandmute1.tedata.net:443
no port defined
usage: s_client args
-4 - Force IPv4
-6 - Force IPv6
-host host - use -connect instead
-port port - use -connect instead
-connect host:port - who to connect to (default is localhost:4433)
-proxy host:port - connect to http proxy
-verify arg - turn on peer certificate verification
-cert arg - certificate file to use, PEM format assumed
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private key file to use, in cert file if
not specified but cert file is.
-keyform arg - key format (PEM or DER) PEM default
-pass arg - private key file pass phrase source
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-reconnect - Drop and re-make the connection with the same Session-ID
-pause - sleep(1) after each read(2) and write(2) system call
-showcerts - show all certificates in the chain
-debug - extra output
-msg - Show protocol messages
-nbio_test - more ssl protocol testing
-state - print the 'ssl' states
-nbio - Run with non-blocking IO
-crlf - convert LF from terminal into CRLF
-quiet - no s_client output
-ign_eof - ignore input eof (default when -quiet)
-no_ign_eof - don't ignore input eof
-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
-mtu - set the link layer MTU
-no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
-bugs - Switch on all SSL implementation bug workarounds
-cipher - preferred cipher to use, use the 'openssl ciphers'
command to see what is available
-starttls prot - use the STARTTLS command before starting TLS
for those protocols that support it, where
'prot' defines which one to assume. Currently,
only "smtp", "lmtp", "pop3", "imap", "ftp" and "xmpp"
are supported.
-xmpphost host - connect to this virtual host on the xmpp server
-sess_out arg - file to write SSL session to
-sess_in arg - file to read SSL session from
-servername host - Set TLS extension servername in ClientHello
-tlsextdebug - hex dump of all TLS extensions received
-status - request certificate status from server
-no_ticket - disable use of RFC4507bis session tickets
-alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)
-groups arg - specify EC curve groups (colon-separated list)
-use_srtp profiles - Offer SRTP key management with a colon-separated profile list
-keymatexport label - Export keying material using label
-keymatexportlen len - Export len bytes of keying material (default 20)
and when i run the code you shared for "example.com" These lines are printed
did send did receive, count: 1609, prefix: <48545450 2f312e31 20323030 204f4b0d> did not receive, EOF
but when i use it for my server, nothing printed at all.
response after adding showcerts option, sorry for the inconvenience
Yeah, it seems that our systems are really not happy with the certificate being presented by your server.
I put the certificates into a simple test project that evaluates trust on the leaf. See below for the code. (Note that this uses the helper routines from this post) You can see that trust evaluation is failing for reason 4. Those reasons code come from RFC 5280, where 4 means superseded.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
let leaf: SecCertificate = …
let intermediate: SecCertificate = …
let root: SecCertificate = …
let policy = SecPolicyCreateSSL(true, "webrtc01.defandmute1.tedata.net" as NSString)
let trust = try! secCall {
SecTrustCreateWithCertificates(
[leaf, intermediate, root] as NSArray,
policy,
$0
)
}
try! secCall { SecTrustEvaluateWithError(trust, $0) }
var result = SecTrustResultType.invalid
try! secCall { SecTrustGetTrustResult(trust, &result) }
print(result.rawValue)
// prints:
//
// 6
//
// that is, `.fatalTrustFailure`
let r = try! secCall { SecTrustCopyResult(trust) }
print(r)
// prints:
//
// {
// TrustEvaluationDate = "2023-03-08 09:02:07 +0000";
// TrustResultDetails = (
// {
// Revocation = 4;
// },
// {
// },
// {
// }
// );
// TrustResultValue = 6;
// TrustRevocationReason = 4;
// }