Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."

Hi,


I have a private https url hosted on our organisation's Apache server from which, I am trying to fetch data for my app. But am getting the following error:


Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600002421290>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(

"<cert(0x7f8952890c00) s: ~~~~~~~~~~~ i: DEN1-SSLCA-001-CA>",

"<cert(0x7f895282e200) s: ~~~~~~~~~~~ i: DEN1-SSLCA-001-CA>"

), NSUnderlyingError=0x60000186f5d0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600002421290>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(

"<cert(0x7f8952890c00) s: ~~~~~~~~~~~ i: DEN1-SSLCA-001-CA>",

"<cert(0x7f895282e200) s: ~~~~~~~~~~~ i: DEN1-SSLCA-001-CA>"

)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://~~~~~~~~~~~/***************, NSErrorFailingURLStringKey=https://~~~~~~~~~~~~~/**************, NSErrorClientCertificateStateKey=0}



~~~~~~~ is my server host

************ is my url or api


I get the expected response, when I give

App Transport Security Settings -> Exception Domains -> ~~~~~~~~~~~~~ -> NSExceptionAllowsInsecureHTTPLoads is set to YES.


Is this the only way I can achieve the result?

Becuase I see many posts stating the use of App Transport Security Settings isn't good.


Please help and guide me.

Post not yet marked as solved Up vote post of avasumathi Down vote post of avasumathi
20k views
Posted by
avasumathi
Reply
Add a Comment

Replies

Becuase I see many posts stating the use of App Transport Security [exceptions] isn't good.

That’s certainly true. And you shouldn’t need an ATS exception in your scenario. The approach I recommend is as follows:

  1. Set up a custom certificate authority (CA) within your organisation (many organisations already have this).

  2. Have it issue a certificate for your private server.

  3. Use MDM to install your organisation CA’s root certificate on your devices.

At this point your app (and Safari, and any other app) should be able to connect to your server by default; the system trusts your CA root certificate like it would any of the built in CA root certificates.

If you have this set up already and it’s not working, it’s possible that you’re falling foul of ATS’s other security requirements. You should run through the checklist in the Requirements for Connecting Using ATS section of the Information Property List Key Reference.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

My app will be used only within our organisation's network, that is, the network inside which the private server is hosted. Do I still have to ask user to install the root certificate using MDM? Or I am missing something with regard to my code?


This happens with both device and Simulator mode.

Posted by
avasumathi
Up vote reply of avasumathi Down vote reply of avasumathi
Add a Comment

My app will be used only within our organisation's network, that is, the network inside which the private server is hosted. Do I still have to ask user to install the root certificate using MDM?

“Have to”? No. However, that’s the approach I strongly recommend, because it avoids you having to write any code to override HTTPS server trust evaluation. Any bugs in your HTTPS server trust evaluation code could potentially open your app up to security vulnerabilities, which would be Bad™. The best way to avoid such vulnerabilities is to not write that code in the first place.

To quote an old friend of my: “Bugs can’t exist in a vacuum!”

Besides, if you’re operating BYOD devices in an enterprise environment you should be using MDM anyway.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

This issue seems stale, but chiming in just for anyone else encountering something similar.

I was having a very similar issue with TLS on device, while the simulator was working fine. I realized (after much frustration) that my device time was still set to an arbitrary time, and I'm not sure how long it had been that way. In fact, I believe it had been set to that arbitrary time before a timezone change (daylight savings, EST/EDT), and the phone had been dead for quite a while.

Long story short, I changed the "Date & Time" setting to be automatic, and TLS magically worked again, even after I set the time to an arbitrary one again, just for good measure.

Posted by
jakec-click
Up vote reply of jakec-click Down vote reply of jakec-click
Add a Comment