universal links: Bad apple-app-site-association server trust: -6754

Hi everyone,

I cannot get universal links to run, during app installation I get the following in Console:


Feb 8 07:15:45 Sebastians-iPhone-6s-plus swcd(CFNetwork)[218] <Notice>: TIC TLS Event [91:0x104f24690]: 2, Pending(0)

Feb 8 07:15:45 Sebastians-iPhone-6s-plus swcd(CFNetwork)[218] <Notice>: TIC TLS Event [91:0x104f24690]: 20, Pending(0)

Feb 8 07:15:45 Sebastians-iPhone-6s-plus swcd(CFNetwork)[218] <Notice>: TIC TCP Conn Connected [91:0x104f24690]: Err(16)

Feb 8 07:15:45 Sebastians-iPhone-6s-plus swcd(CFNetwork)[218] <Notice>: TIC TCP Conn Event [91:0x104f24690]: 1

Feb 8 07:15:45 Sebastians-iPhone-6s-plus swcd(CFNetwork)[218] <Notice>: TIC TCP Conn Event [91:0x104f24690]: 8

Feb 8 07:15:45 Sebastians-iPhone-6s-plus swcd(CFNetwork)[218] <Notice>: TIC TLS Handshake Complete [91:0x104f24690]

Feb 8 07:15:45 Sebastians-iPhone-6s-plus swcd(CFNetwork)[218] <Notice>: Task <FD2DF1F7-455A-4BB6-BEC2-BF1747E7413B>.<3> now using Connection 91

Feb 8 07:15:45 Sebastians-iPhone-6s-plus swcd(CFNetwork)[218] <Notice>: Task <FD2DF1F7-455A-4BB6-BEC2-BF1747E7413B>.<3> sent request, body N

Feb 8 07:15:45 Sebastians-iPhone-6s-plus swcd(CoreUtils)[218] <Notice>: ### Bad apple-app-site-association server trust: -6754/0xFFFFE59E kAuthenticationErr, 1 (kSecTrustResultProceed), {

"TrustResultDetails" :

[

{},

{},

{}

],

"TrustResultValue" : 1,

"TrustEvaluationDate" : 2018-02-08 06:15:45.322463,

"TrustExpirationDate" : 2018-02-12 10:18:43.000000,

"TrustRevocationChecked" : true,

}


The apple-app-site-association file is hosted on a Microsoft IIS an d can be downloaded via https from Safari without any redirects.

I also see from server logfile that the file gets loaded with return code 200, so all fine.


Can anyone give a hint, what might be missing? Thanks in advance.

Replies

Hello,


I spent several hours trying to figure out the same kind of problem.

For my case, I think I have come to the point where I can conclude that the certificate for the server must be signed with a root CA that is provided with iOS. If you have a certificate signed with a user-installed (or mdm-installed) root CA, then the SecTrustResult is "proceed" instead of "unspecified", which is OK for Safari and other URLSession uses but not for the apple-app-site-association validation...


@eskimo, what do you think?

created radar 42445966

for complete transparency, here is the content of the ticket:

iOS refuses to consider a apple-app-site-association file if hosted on a https server whose certificate is signed by a corporate PKI.


The following steps illustrate the issue with a publicly accessible website that mimics such a corporate PKI scenario.


Steps to Reproduce:
1) add https://badssl.com/certs/ca-untrusted-root.crt as a trusted root certificate
2) check that https://untrusted-root.badssl.com is accessible without any warning in Safari
3) create an app with Associated Domains capability + an entitlement for this associated domain: "applinks:untrusted-root.badssl.com"
4) launch the app
5) check Console for swcd logs and search for this kind of error


default 23:22:35.443837 +0200 swcd Started request for domain 'untrusted-root.badssl.com', URL 'https://untrusted-root.badssl.com/.well-known/apple-app-site-association'
default 23:22:35.922063 +0200 swcd ### Bad apple-app-site-association server trust: -6754/0xFFFFE59E kAuthenticationErr, 1 (kSecTrustResultProceed), {
    "TrustResultDetails" :
    [
        {},
        {}
    ],
    "TrustResultValue" : 1,
    "TrustEvaluationDate" : 2018-07-20 21:22:35.918077,
}


Expected Results:
There shouldn't be any SecTrust problem, kSecTrustResultProceed means that it's OK to use this SecTrust


Actual Results:
the resource at https://untrusted-root.badssl.com/.well-known/apple-app-site-association is not even downloaded as the TLS connection is incorrectly considered as not trusted.


Version/Build: 11.4

I too was receiving

"TrustResultValue" : 1,


It turned out it was caused by using the Charles diagnostic proxy. Once I turned my proxy off the domain associated correctly.


Chris

Hi,


Are there any updates on this bug from Apple? I am also trying the same way to test universal links.


Thanks.