Reason of an SSL error in Swift 2 and iOS9 - swift

I got the following error while establishing an HTTPs (Secure HTTP) connection in Swift 2 and iOS9:
[NSLocalizedDescription: An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion: Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey: 3, NSUnderlyingError: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorCodeKey=-9802, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x175bc540>, kCFStreamPropertySSLPeerCertificates=<CFArray 0x175bd200 [0x3c11cca8]>{type = immutable, count = 1, values = (
0 : <cert(0x175bbf90) s: example.com i: example.com>
)}}, _kCFStreamErrorCodeKey: -9802, NSErrorFailingURLStringKey: https://example.com.com:pppp/, NSErrorPeerCertificateChainKey: (
"<cert(0x175bbf90) s: example.com i: example.com.com>"
), NSErrorClientCertificateStateKey: 0, NSURLErrorFailingURLPeerTrustErrorKey: <SecTrustRef: 0x175bc540>, NSErrorFailingURLKey: https://example.com:pppp/]
I want to know the exact exact reason of this issue and how can I find exact reason of an SSL issue?
I got the following output from curl command:
I also did the following changes in info.plist:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>example.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<false/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
Still I am getting error in app and not able to connect to server.
Please anyone can give me an example or link for implementing SSL pinning with self signed certificate in iOS 9 and Xcode 7.

Related

default TLS Trust evaluation failed for iOS development with webapis on local machine listening to the IP

I am new to iOS/SwiftUI development but am trying to develop an app and webapis on my MacBook Pro. I am using VSCode and C# on the backend and calling the webapis from the iPhone simulator.
I have a localhost certificate in my Keychain with a Subject Alternative Name of the ip for my local machine (10.0.0.5). I have this working with Android using 10.0.2.2 (emulator localhost for computer hosting the emulator), so I know it does work.
I can also run the API from the browser using 10.0.0.5 and get the results.
When I run from the simulator I get these error:
2022-01-15 18:05:03.352411-0500 TestApp[24757:274897] [Unknown process
name] copy_read_only: vm_copy failed: status 1. calling loadData...
loading data... 2022-01-15 18:05:06.008842-0500 TestApp[24757:274902]
Connection 1: default TLS Trust evaluation failed(-9807) 2022-01-15
18:05:06.009049-0500 TestApp[24757:274902] Connection 1: TLS Trust
encountered error 3:-9807 2022-01-15 18:05:06.009148-0500
TestApp[24757:274902] Connection 1: encountered error(3:-9807)
2022-01-15 18:05:06.010008-0500 TestApp[24757:274902] Task
<17311174-24FF-403A-AA1B-4894D097FB41>.<1> HTTP load failed, 0/0 bytes
(error code: -1202 [3:-9807]) 2022-01-15 18:05:06.013874-0500
TestApp[24757:274896] Task <17311174-24FF-403A-AA1B-4894D097FB41>.<1>
finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202
"The certificate for this server is invalid. You might be connecting
to a server that is pretending to be “10.0.0.5” which could put your
confidential information at risk."
UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to
the server anyway?, _kCFStreamErrorDomainKey=3,
NSErrorPeerCertificateChainKey=(
"<cert(0x7fbef400f200) s: localhost i: localhost>" ), NSErrorClientCertificateStateKey=0,
NSErrorFailingURLKey=https://10.0.0.5:5001/WeatherForecast,
NSErrorFailingURLStringKey=https://10.0.0.5:5001/WeatherForecast,
NSUnderlyingError=0x6000023c6490 {Error Domain=kCFErrorDomainCFNetwork
Code=-1202 "(null)"
UserInfo={_kCFStreamPropertySSLClientCertificateState=0,
kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600001c58500>,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x7fbef400f200) s: localhost i: localhost>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <17311174-24FF-403A-AA1B-4894D097FB41>.<1>" ), _kCFStreamErrorCodeKey=-9807, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <17311174-24FF-403A-AA1B-4894D097FB41>.<1>,
NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600001c58500>,
NSLocalizedDescription=The certificate for this server is invalid. You
might be connecting to a server that is pretending to be “10.0.0.5”
which could put your confidential information at risk.} Invalid data
I followed the instructions from this post to put the NSExceptionDomain I am using. I am having trouble digesting the Overriding TLS Chain Validation Correctly. I followed this thread on Swift 5.1 UIWebView Does not View URL because of untrusted Certificate as well. Also, iOS app ignoring NSAppTransportSecurity.
My Info.plist has this in it:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>https://10.0.0.5:5001/WeatherForecast</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
I tried a variety of combinations for the key from 10.0.0.5 to https://10.0.0.5:5001/WeatherForecast.
UPDATE
I tried this Domain=NSURLErrorDomain Code 1202 as well, exporting the .cer from keychain and installing it on the emulator, but I still get the same error:

ATS Error: "ATS policy requires the use of a secure connection", despite plist

I'm trying to make a request for an http domain, and despite having
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>my-private-domain.kubernetes.intranet%2f:9090</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
at my info.plist for the app target, XCode 12.5.1 keeps me showing the error
Task <C5F9EA01-9790-43ED-89B0-EE07341B4D84>.<4> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.
I needed to perform this request after updating to 12.5.1 and also tried Clean Build Folder and removing-reinstalling the app. Does someone knows if it's a policy change? (maybe only HTTPS are now allowed even in non-production targets?). The answers I found here only cites NSAllowsArbitraryLoads, NSExceptionDomains, NSExceptionMinimumTLSVersion/NSTemporaryExceptionMinimumTLSVersion and NSThirdPartyExceptionRequiresForwardSecrecy. There's something more?
Because your info.plist includes the NSAllowsArbitraryLoadsInWebContent key, the NSAllowsArbitraryLoads is ignored and treated as false. So removing the NSAllowsArbitraryLoadsInWebContent should allow all arbitrary loads.
Relevant section from Apple docs:
In iOS 10 and later and macOS 10.12 and later, the value of the
NSAllowsArbitraryLoads key is ignored—and the default value of NO used
instead—if any of the following keys are present in your app’s
Information Property List file:
NSAllowsArbitraryLoadsForMedia
NSAllowsArbitraryLoadsInWebContent
NSAllowsLocalNetworking

ios 11 - swift 3 - insecure ssl

i keep sending get requests via alaomfire with those settings:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>domain.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowInsecureHTTPSLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSThirdPartyExceptionAllowInsecureHTTPSLoads</key>
<true/>
</dict>
</dict>
</dict>
But i still get:
An SSL error has occurred and a secure connection to the server cannot be made
Could anybody explain this issue to me?
Thanks and Greetings!

Swift curl to 3rd party website not working unless I allow arbitrary domains

My request looks as such
let headers = ["Host:" : "www.fortune500companysite.com", "User-Agent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language" : "en-US,en;q=0.5", "Connection" : "keep-alive", "Upgrade-Insecure-Requests" : "1"]
let request = formatRequest(url: "https://www.fortune500companysite.com/", method: "GET", headers: headers, dataString: nil)
I need help formatting my info.plist so that the request (and subdomain requests) works and the app is approvable by apple.
Sending the request off only works with:
<dict>
<!--Include to allow all connections (DANGER)-->
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Which as we know, is a one way ticket to getting your app rejected by apple. Without it, I get the following error:
nw_coretls_read_one_record tls_handshake_process: [-9824]
error: Optional(Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={NSUnderlyingError=0x60800004ea60 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={_kCFStreamErrorCodeKey=54, _kCFStreamErrorDomainKey=1}}, NSErrorFailingURLStringKey=https://www.fortune500companysite.com/, NSErrorFailingURLKey=https://www.fortune500companysite.com/, _kCFStreamErrorDomainKey=1, _kCFStreamErrorCodeKey=54, NSLocalizedDescription=The network connection was lost.})
This code I found in someone else's question doesn't help either
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>fortune500companysite.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<true/>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSRequiresCertificateTransparency</key>
<false/>
</dict>
</dict>
</dict>

HTTP Error in Swift 2 [duplicate]

This question already has answers here:
Transport security has blocked a cleartext HTTP
(29 answers)
Closed 7 years ago.
Whenever I try to load a url or gain the data from a specific URL that follows the http:// format. Xcode returns me with this error
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
How can I fix/work my way around this
I am not sure but you have to update your info.plist file by adding this key:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
Or you can add it another way and it will look like:
Or you can add a specific domain like:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>yourserver.com</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow HTTP requests-->
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
Original Post here for that.