I develop an iPhone framework which sends HTTPS requests in order to communicate with a publicly available backend server. Currently I have a big problem regarding untrusted server certificates.
The certificate of the backend server is not signed by a trusted CA, so my first approach was to use NSURLRequest's private allowsAnyHTTPSCertificateForHost. While this worked as expected and was fine as temporary workaround, our customer demands a clean solution as final result. Therefore I wrote a method which allows to install a provided certificate from the file system in the keychain, but this method does not work as expected in the iPhone Simulator. The certificate is installed in the host machine's Mac OS X keychain instead. Unfortunately, if I call NSURLConnection's sendSynchronousRequest method, I retrieve an "untrusted server certificate" error. It seems as if NSURLConnection is not able to access the host's Mac OS X keychain to retrieve the certificate.
Is my guess correct or did I miss something?
Would my approach work if I ran my app on a real iPhone device instead (I do not have one available yet)?
Does there exist a keychain in the iPhone Simulator at all?
Is it at all possible to send HTTPS requests to a server with an untrusted certificate on the iPhone Simulator or do I have to use precompiler directives to implement different routines depending on the underlying platform (simulator or device, respectively)?
Any help is highly appreciated.
Thanks,
Matthias
You can get free trusted SSL certificates at http://startssl.com
Perhaps the ASIHTTPRequest library can help with that?
Yes agree with Beat Bolli but i have done this by NSURL request.may be you are skipping spmething.
Related
I tried to intercept the requests on my android and iOS apps using charles proxy.
On android i'm able to see the requests and response without issues however on iOS it's not working fine.
I receive:
SSL handshake with client failed - Remote host terminated the handshake
You may need to configure your browser or application to trust the Charles Root Certificate. See SSL Proxying in the Help menu.
The manual proxy is correctly configure on the device, and i already trusted the charles certification on my iphone. I'm quite sure that all configs are correctly set up.
I'm wondering if it's a limitation on my iOS app. Any ideia?
Thanks in advance
You might need to tell your device to trust the certificate.
From this page on the Charles Proxy website:
If you are on iOS 10.3 or later, open the Settings.app and navigate to General > About > Certificate Trust Settings, and find the Charles Proxy certificate, and switch it on to enable full trust for it (More information about this change in iOS 10).
I'm debugging a site using an iphone with ios 6.. Using the inspector from the iphone on the mac while visiting a site I get:
Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “www.photorank.me” which could put your confidential information at risk.
When I go to the same site on a mac using ffox/chrome/safari that issue does not exists.
The URL with the issue is https://www.photorank.me/static/js/olapic/widgets/ecommerce.js
It seems that the certificate is invalid for some reason but the only device saying so is the iphone and ipad..
Any idea what is wrong?
It's not trusted, see this or this. OSX might have wider root certificates base than iOs devices or simulator.
After I had lost more than a day while searching for solution, I decided to ask here for advise.
So, I have an iPhone app that use PN, and I have server with installed Easy APNS module. Easy APNS is a bit modified for my needs, but still.
I expected that there could be a problems with PN after distributing my app and i tried to avoid it. I studied a lot of papers. But now I have problems.
As at most of similar questions, everything worked fine in development mode, but in production mode app doesn't receive notifications.
When I've tested my app, fixed bugs, checked my server in development mode, using sandbox apple server, I went to submitting my app for review. According to manuals, I've done:
- enabled production pushes for my AppId
- generated distribution provision for AppStore
- uploaded and installed both certificate and provision
- APS certificate and key in keyChain I've exported to .pem ssl certificate like described here: http://blog.boxedice.com/2009/07/10/how-to-build-an-apple-push-notification-provider-server-tutorial/
- I've uploaded certificate to my server
- built my source using Archive scheme with release configuration. Of course, I've used distribution provision
Than I've submitted binary for review and when it was approved, I've installed it on iPhone from AppStore. And now I can't receive push. Nor on my test device, nor any other.
Till now I've:
- regenerated pem certificate.
- tried to connect to ssl://gateway.push.apple.com/ using this cert - connection OK (connection to ssl://gateway.sandbox.push.apple.com/ with the same cert was rejected).
- checked provision file - key aps-environment is set to production
- checked manuals if I had to change something in source before submitting - nothing.
Actually, devices are registering on server after being launched. They are receiving device token and retrieving it to server with all additional information - all seems to be correct.
Server seems be sending messages correct too - using correct cert file, connecting to 2195 port of gateway.push.apple.com, having no any problems with creating connection and sending message, and receive no any feedback.
So, both device and server can connect to APNS, but server can't send message through it.
I saw a lot of similar problems and a lot of possible solutions. But none of them was helpful.
But I will be thankful for any help, ideas or advice.
Heh... Seems that problem was that my web-developer switched production and developing certificates... Rather silly...
But now I know a lot about Push-notifications)
Thanks a lot StackOverflow!
My question is: is there a way to use the installed identity certificates on the phone from within my app. For example similar case like with Safari: if certain site requires client certificate, the user has to install it on the phone and then when authenticating Safari uses the installed certificate to authenticate. I need to do the same:
User installs certificate on the phone.
The user starts the application and authenticates using the installed certificate.
Thanks
I assume you mean authenticate an NSURLConnection to a specific server? I think you can do this if get into some of the lower level CF calls. Not sure, but this might help: Does SecTrustEvaluate() look for root certificates in the application keychain?
I'd like to test an application on the iphone simulator which connects to a service using a certificate which is signed by our own CA. I can do this on the actual device by adding a provisioning profile which has the CA certificate. I had thought that having the CA certificate in the standard OSX keychain would work, but it doesn't.
So I can access the service via Safari without warning, but I get error when trying to run things in simulator.
The crypto api's are unavailable to the simulator. I think someone at apple was smoking crack when they made this decision because i fail to see how having an iPhone changes the out come of a cryptographic algorithm. Never the less in order to develop with these systems you'll need an iphone or ipod touch.
This link worked for me
canAuthenticateAgainstProtectionSpace method set to return yes.
NOTE: this will accept any certificate so should be removed for production releases: ie: ONLY for testing
It seems to work okay when I point the emulator at one of our live servers which a use a 'real' certificate. But I've just been getting 1200 errors trying to get the emulator to talk to a local test server I set up this morning.
So there must be crypto libraries there (or our app wouldn't talk to the live servers with real certificates), but there certainly seems to be a problem with self-signed certs.