8 Replies
      Latest reply: Jan 11, 2017 6:16 AM by d80buckeye RSS
      gjandrejko Level 1 Level 1 (0 points)

        I'm having issues when loading some our companies websites using ios9 GM in UIWebViews. One of the specific websites is talentworks.becpsn.com

         

        I've tried multiple combinations of ATS including arbritrary loads and the forward secrecy mentioned in similar posts.

         

        <key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>talentworks.becpsn.com</key> <dict> <key>NSExceptionRequiresForwardSecrecy</key> <false/> <key>NSIncludesSubdomains</key> <true/> <key>NSThirdPartyExceptionRequiresForwardSecrecy</key> <false/> </dict> </dict> </dict>

         

         

         

        class is not key value coding-compliant for the key barStyle.

        2015-09-15 19:43:25.978 Globe[36381:6181648] CFNetwork diagnostics log file created at: /Users/gjandrejko/Library/Developer/CoreSimulator/Devices/AE9FD741-AF4B-49F7-B861-733FECA0063B/data/Containers/Data/Application/A8EE5393-7AB5-4638-8DEC-320159E2FF4B/Library/Logs/CrashReporter/CFNetwork_com.bechtel.poma..Globe_36381.nwlrb.log

        2015-09-15 19:43:26.348 Globe[36381:6181669] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9807)

        2015-09-15 19:43:26.352 Globe[36381:6181603] ERROR:Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “talentworks.becpsn.com” which could put your confidential information at risk." UserInfo={NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “talentworks.becpsn.com” which could put your confidential information at risk., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x787beb40 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “talentworks.becpsn.com” which could put your confidential information at risk." UserInfo={NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “talentworks.becpsn.com” which could put your confidential information at risk., _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x79985740>, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerCertificates=<CFArray 0x786ae5c0 [0x22eb098]>{type = immutable, count = 4, values = (

          0 : <cert(0x799835f0) s: MSAN.becpsn.com i: IEXTCA-SSL.ibechtel.com>

          1 : <cert(0x79983cc0) s: IEXTCA-SSL.ibechtel.com i: Bechtel External Policy CA 1>

          2 : <cert(0x79984150) s: Bechtel External Policy CA 1 i: Baltimore CyberTrust Root>

          3 : <cert(0x79985220) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>

        )}, NSErrorFailingURLStringKey=https:/

          0 : <cert(0x799835f0) s: MSAN.becpsn.com i: IEXTCA-SSL.ibechtel.com>

          1 : <cert(0x79983cc0) s: IEXTCA-SSL.ibechtel.com i: Bechtel External Policy CA 1>

          2 : <cert(0x79984150) s: Bechtel External Policy CA 1 i: Baltimore CyberTrust Root>

          3 : <cert(0x79985220) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>

        )}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x79985740>, NSErrorFailingURLKey=https://talentworks.becpsn.com/}



        We've been stuck for several days on this issue. Any help would be greatly appreciated.

        • Re: kCFStreamErrorDomainSSL -9807 error
          eskimo Apple Staff Apple Staff (6,665 points)

          Error -9807 is errSSLXCertChainInvalid, meaning there’s a trust evaluation problem.  This isn’t an ATS issue because even when you disable all of ATS (via the property list additions shown below) things still fail.

          <key>NSAppTransportSecurity</key>
          <dict>
              <key>NSAllowsArbitraryLoads</key>
              <true/>
          </dict>
          

          I poked around this for a bit and iOS 9 really doesn’t like the MSAN.becpsn.com leaf certificate.  Trust evaluation works just fine on the intermediates leading to that, but always fails on the leaf.  SecTrustCopyProperties returns this:

          (
              {
                  type = error;
                  value = "Policy requirements not met.";
              }
          )
          

          The policy complaining is the basic X.509 policy not the TLS policy, because if I do a manual trust evaluation using SecPolicyCreateBasicX509 I get the same result.

          Looking through the leaf certificate I can’t see why it would fail the basic X.509 policy.  iOS 9 is pretty strict about following the rules in RFC 5280, but I can’t see any place where the leaf is breaking those rules.

          Finally, I should note that accessing talentworks.becpsn.com from Safari on iOS 9 also fails, so this isn’t just restricted to your app.

          You should definitely file a bug about this.  Even if the problem is caused by an obscure error in your server’s certificate chain, this still belongs in Radar as a compatibility concern.  Once you’ve filed a bug, please post your bug number, just for the record.

          Finally, there are a few more checks I can run for this but I don’t have time in the context of DevForums.  If you open a DTS tech support incident, I can dig deeper into this.

          Share and Enjoy

          Quinn "The Eskimo!"
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: kCFStreamErrorDomainSSL -9807 error
              gjandrejko Level 1 Level 1 (0 points)

              I opened a DTS ticket. 628342917 Can you dig deeper and run your additional checks.

                • Re: kCFStreamErrorDomainSSL -9807 error
                  nanoant Level 1 Level 1 (0 points)

                  FYI iOS 9 has confirmed problem (bug) with X509v3 Name Constraints OID 2.5.29.30 nd your Bechtel External Policy CA 1 uses these constraints. This also has hit us as our CA use constraints so our apps now return -9802 error even on 10.11 nscurl --ats-diagnostics goes well.


                  So currently only workaround is either wait for iOS hotfix for that or use CA/certs without such constraints.

                    • Re: kCFStreamErrorDomainSSL -9807 error
                      eskimo Apple Staff Apple Staff (6,665 points)

                      FYI iOS 9 has confirmed problem (bug) with X509v3 Name Constraints …

                      Do you have a bug number for that?

                      Share and Enjoy

                      Quinn "The Eskimo!"
                      Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                      let myEmail = "eskimo" + "1" + "@apple.com"

                        • Re: kCFStreamErrorDomainSSL -9807 error
                          eskimo Apple Staff Apple Staff (6,665 points)

                          Do you have a bug number for that?

                          OK, to answer my own question, this is (r. 22722531).

                          iOS 9 has started enforcing the Name Constraint extension as part of the Basic X.509 trust policy (SecPolicyCreateBasicX509).  This affects HTTPS server trust evaluation and pretty much every other trust evaluation on the system.

                          There’s at least one bug in how iOS 9 handles this but, beyond that, the complexity of the relevant standards means that the Name Constraint extension is set up in lots of different ways in the real world, some of which we would consider to be incorrect.  We plan to resolve this issue in a future version of iOS by a) fixing the things that are definitely bugs, and b) being a little less aggressive in how we enforce this trust policy.

                          Share and Enjoy

                          Quinn "The Eskimo!"
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                            • Re: kCFStreamErrorDomainSSL -9807 error
                              dhafin Level 1 Level 1 (0 points)

                              I'm also experiencing this problem in iOS 10. I got 'kCFStreamErrorDomainSSL, -9807' error. My code works fine in iOS 9.X but the problem appears in iOS 10.X. What should I do to solve this problem?

                               

                              Any help would be appreciated.

                                • Re: kCFStreamErrorDomainSSL -9807 error
                                  eskimo Apple Staff Apple Staff (6,665 points)

                                  As I explained earlier, error -9807 is errSSLXCertChainInvalid, which indicates that there’s a problem with TLS server trust evaluation.  Trust evaluation can fail for a variety of reasons, and it’s unlikely that the underlying cause is the same as gjandrejko was seeing.

                                  Please do some debugging and, if that doesn’t reveal the problem, start a new thread with your results.  Specifically:

                                  1. Create a small test app that fetches a resource from your server and see if that reproduces the problem.

                                  2. If so, disable ATS on that app to see if that improves things.

                                  3. If you’re still having problems, grab a copy of the TLSTool sample code, run it against your server as shown below (substituting your server name and port for example.com:443), then post the results.


                                  $ TLSTool s_client -connect example.com:443 -noverify -showcerts
                                  

                                  Share and Enjoy

                                  Quinn “The Eskimo!”
                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                  let myEmail = "eskimo" + "1" + "@apple.com"

                                  • Re: kCFStreamErrorDomainSSL -9807 error
                                    d80buckeye Level 1 Level 1 (0 points)

                                    Was a new thread opened on this by chance? IF so I'd appreciate a link. Thanks