10 Replies
      Latest reply: Aug 19, 2015 10:23 AM by smizoguchi RSS
      sebastien78 Level 1 Level 1 (0 points)

        Hi,

         

        I have an IOS App connecting to a server (implemented in a web container) using NSURLSession. All communications are using HTTPs, the server is using TLSV1.2 with an accepted ciphers (see below for details).

         

        I'm using IOS 9 beta3 (on iPad Air) and XCode 7 beta 3.

         

        When starting the communication with the server I have always the same error:

         

        2015-07-21 22:35:47.452 CellMonitoring[990:31106] Session download has failed : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=0x7fa96d004cb0 {NSErrorFailingURLStringKey=https://localhost:8443/MyServer/App, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://localhost:8443/MyServer/App, _kCFStreamErrorCodeKey=-9802, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

         

        Below is the result of the openSSL command to display information about my server.

         

        $ openssl s_client -host localhost -port 8443 -status

        ...

        -----END CERTIFICATE-----

        subject=XXXXX

        issuer=YYYY

        ---

        No client certificate CA names sent

        ---

        SSL handshake has read 1465 bytes and written 510 bytes

        ---

        New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

        Server public key is 2048 bit

        Secure Renegotiation IS supported

        Compression: NONE

        Expansion: NONE

        SSL-Session:

            Protocol  : TLSv1.2

            Cipher    : ECDHE-RSA-AES128-GCM-SHA256

            Session-ID: 55AEB2F8B99041A2B5975777FE793EB837AFB20BD7D0E00AA05A3F7ACB40BD38

            Session-ID-ctx:

            Master-Key: 6D77D7F9FAD54CFBD202806C927E188E0043306CB36F405FAA6F15E75F494BAA50F0B5E5D3BA2060D14BB14EE0EA239E

            Key-Arg   : None

            PSK identity: None

            PSK identity hint: None

            SRP username: None

            Start Time: 1437512440

            Timeout   : 300 (sec)

            Verify return code: 18 (self signed certificate)

        ---

        closed

         

        Below is the code I'm using for didReceiveChallenge, is there anything wrong or missing? I'm lost, I don't know how to progress :-(

         

        #pragma mark - NSURLSessionDelegate Protocol
        - (void)URLSession:(NSURLSession *)session
        didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
        completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler {
            [RequestURLUtilities dumpChallenge:challenge];
            if (challenge.protectionSpace != Nil) {
                NSURLProtectionSpace *protection = challenge.protectionSpace;
                SecTrustRef sslState = protection.serverTrust;
                if (sslState == Nil) {
                    NSLog(@"%s Warning: empty serverTrust",__PRETTY_FUNCTION__);
                }
                if ([protection.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
                    NSLog(@"%s => NSURLAuthenticationMethodServerTrust", __PRETTY_FUNCTION__);
                   
                    NSURLCredential* credential = [NSURLCredential credentialForTrust:sslState];
                   
                   
                   completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
                } else {
                    NSLog(@"%s => Called for another challenge", __PRETTY_FUNCTION__);
                   completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, NULL);
                }
              /
            }
        }
        
        • Re: NSURLSession error with ATS
          eskimo Apple Staff Apple Staff (6,075 points)

          You seem to be using a self-signed certificate.  Is that your final plan?  Or is that just for initial bring up?

          Share and Enjoy

          Quinn "The Eskimo!"
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: NSURLSession error with ATS
              borgiscool Level 1 Level 1 (0 points)

              I also started to experience SSL problem after installing XCode 7 Beta 4. The server is AWS S3, which has been supporting https (TLS 1.2) ... here is some info from openssl:

               

              $ openssl s_client -host s3.amazonaws.com -port 443
              
              
              
              
              
              ....
              subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=s3.amazonaws.com
              issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https : //www.verisign.com/rpa  (c)10/CN=VeriSign Class 3 Secure Server CA - G3
              ---
              No client certificate CA names sent
              ---
              SSL handshake has read 4588 bytes and written 457 bytes
              ---
              New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
              Server public key is 2048 bit
              Secure Renegotiation IS supported
              Compression: NONE
              Expansion: NONE
              SSL-Session:
                  Protocol  : TLSv1.2
                  Cipher    : ECDHE-RSA-AES128-SHA
                  Session-ID: 9E644402F21A56BD299E13DCC7290D5D350E5F934D6F91EC0E9062BB08C85E2B
                  Session-ID-ctx:
                  Master-Key: B402C7AB986247BFCC4313585494658683345CEA05B6A2187FFB434BE96C761C8E1A3EEBB20BE9368C08C96310AA0053
                  Key-Arg  : None
                  PSK identity: None
                  PSK identity hint: None
                  SRP username: None
                  Start Time: 1437570827
                  Timeout  : 300 (sec)
                  Verify return code: 20 (unable to get local issuer certificate)
              ---
              closed
              
              
              
              
              
              

               

              the error I am getting (actual URL masked):

               

              [Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."
              UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x5b0c20f80>,
              NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,
              _kCFStreamErrorCodeKey=-9802,
              NSUnderlyingError=0x5b15a5fd0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0,
              _kCFNetworkCFStreamSSLErrorOriginalValue=-9802,
              kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x5b0c20f80>,
              _kCFStreamErrorDomainKey=3,
              _kCFStreamErrorCodeKey=-9802}},
              NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.,
              NSErrorFailingURLKey=https : //s3.amazonaws.com/...,
              NSErrorFailingURLStringKey=https : //s3.amazonaws.com/...,
              _kCFStreamErrorDomainKey=3})]
              
              
              
              
              

               

              this used to work with xcode7 beta3. The error goes away if I disable ATS.

               

              Insight?

              • Re: NSURLSession error with ATS
                sebastien78 Level 1 Level 1 (0 points)

                Yes your're right, I'm using a self signed certificate. Is there an issue due with this?

                 

                It's not in my immediate plan to use a "signed certificate" but if it's the root cause of the issue then I could try to build my own CA and create a signed certificate.

                 

                How can I use my own CA and signed certificate with IOS? Is there some documentation/tutorial? 

                  • Re: NSURLSession error with ATS
                    eskimo Apple Staff Apple Staff (6,075 points)

                    Yes your're right, I'm using a self signed certificate. Is there an issue due with this?

                    Yes.  ATS is pretty much fundamentally incompatible with self-signed certificates.

                    In itself, that's no big loss IMO.  Self-signed certificates are a bad idea and you're much better off avoiding them and instead using a custom CA instead (Technotes 2232 and 2326 have the details of this).  However, that approach is also incompatible with ATS as things currently stand.

                    In short, to work with ATS you will have to get a certificate issued by a trusted CA.  The alternative is to disable ATS (only for the domain you care about, of course) and then, if necessary, do your own custom trust evaluation.

                    ps borgiscool and Lucky7, please start a new thread for the b4 regression; I'd like to use this thread to help sebastien78 with the more fundamental problem.

                    Share and Enjoy

                    Quinn "The Eskimo!"
                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                    let myEmail = "eskimo" + "1" + "@apple.com"

                      • Re: NSURLSession error with ATS
                        sebastien78 Level 1 Level 1 (0 points)

                        The App I'm developping is only for internal use in our Company and the server is also running in our private network. As a consequence we don't plan to get a certificate issued by a trusted CA.

                         

                        Do you plan to support custom CA?

                         

                        My understanding is the only solution I have is to set the NSAllowsArbitraryLoads to YES. When I set this property at the top level under NSAppTransportSecurity it's working but if I use an NSExceptionDomains the following it doesn't work, what is wrong?

                         

                              <key>NSAppTransportSecurity</key>

                                <dict>

                                        <key>NSExceptionDomains</key>

                                        <dict>

                                                <key>192.168.XXX.YYY</key>

                                                <dict>

                                                        <key>NSAllowsArbitraryLoads</key>

                                                        <true/>

                                                </dict>

                                        </dict>

                                </dict>

                         

                        Thanks for your help and support.

                         

                        Sébastien.

                          • Re: NSURLSession error with ATS
                            eskimo Apple Staff Apple Staff (6,075 points)

                            The App I'm developping is only for internal use in our Company and the server is also running in our private network. As a consequence we don't plan to get a certificate issued by a trusted CA.

                            Ah, that's a different story.  In situations like this you should create a CA for your company, if you don't already have one, and have the server's certificate issued by a CA.  You can then install the company CA's root certificate on the device as a system-trusted root (typically via MDM).  Once you do that, ATS will trust your company CA's issued certificates, just like it trusts certificate's issued by any other CA whose root is installed on, or built in to, the system.

                            I tested this approach on a device here in my office, using a CA I maintain for my own personal server, and it worked just fine.

                            if I use an NSExceptionDomains the following it doesn't work, what is wrong?

                            192.168.XXX.YYY

                            I presume that the Info.plist doesn't contain "XXX" and "YYY" literally, but rather it has the actual numbers of your IP address.

                            Regardless, last I checked NSExceptionDomains is supposed to support IP addresses but does not due to a bug.  I typically work around this by using the .local name.

                            Share and Enjoy

                            Quinn "The Eskimo!"
                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                            let myEmail = "eskimo" + "1" + "@apple.com"

                              • Re: NSURLSession error with ATS
                                sebastien78 Level 1 Level 1 (0 points)

                                When I'm configuring the NSExceptionDomains with a domain it's working.

                                 

                                I'm using the following exception.

                                 

                                <key>NSAppTransportSecurity</key>

                                        <dict>

                                                <key>NSExceptionDomains</key>

                                                <dict>

                                                        <key>MyServer.MyDomain.com</key>

                                                        <dict>

                                                                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>

                                                                <true/>

                                                        </dict>

                                                </dict>

                                        </dict>

                        • Re: NSURLSession error with ATS
                          Lucky7 Level 1 Level 1 (0 points)

                          Yup. Since iOS 9 B4 (OS X 10.11 B4 as well), I get the same -1200 error, even though my server has a CA issued certificate and supports TLSv1.2. This used to work just fine on B3 (both OSes).

                          • Re: NSURLSession error with ATS
                            Lucky7 Level 1 Level 1 (0 points)

                            Please see rdar://21946711, which includes a sample project that recreates the issue.