Application Transport Security drives me mad


#1

Hi,

I am working on OSRAM Lightlify integration and want to speak to their Pro-Gateway. But whatever I try I got security issues with the ATS as you can see in the below response:

https://192.168.178.43:8443/session
2016-05-17 18:05:31.170 VCommander_debug[10781:1137316] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
Error Domain=NSURLErrorDomain Code=-1202 “The certificate for this server is invalid. You might be connecting to a server that is pretending to be “192.168.178.43” which could put your confidential information at risk.” UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x105fc9e60 [0x7fff7320f440]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, NSErrorPeerCertificateChainKey=(
”<SecCertificate 0x105fc9360 [0x7fff7320f440]>"
), NSUnderlyingError=0x60800004c000 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 “The certificate for this server is invalid. You might be connecting to a server that is pretending to be “192.168.178.43” which could put your confidential information at risk.” UserInfo={NSErrorFailingURLStringKey=https://192.168.178.43:8443/session, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, kCFStreamPropertySSLPeerCertificates=(
"<SecCertificate 0x105fc9360 [0x7fff7320f440]>"
), _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x105fc9e60 [0x7fff7320f440]>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “192.168.178.43” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://192.168.178.43:8443/session, _kCFStreamErrorCodeKey=-9813}}, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “192.168.178.43” which could put your confidential information at risk., NSErrorFailingURLKey=https://192.168.178.43:8443/session, NSErrorFailingURLStringKey=https://192.168.178.43:8443/session, NSErrorClientCertificateStateKey=0}"

The strange thing is that if I use CocoaRestClient to send the REST statements eg. post, get, then it works fine. I checked the CocoaRestClient pList and added the same key to temporally allow HTTPs requests w/o certificate but it has no effect. That is the key i put:

NSAppTransportSecurity

NSAllowsArbitraryLoads

Any idea what I could check or do to get around this? I know bypassing ATS is a bad idea in general but this is for dev purpose only and I am working in a local closed network.

Any hint is much appreciated!

Joerg


#2

Spoke to OSRAM meanwhile and they stated to use self-signed certificates. The only way to get around the issue is to allow arbitrary loads. But this is what I did. Could it be that the entry in the app-info.plist doesn’t get respected while compiling?


#3

Found a good description in the internet.

http://timekl.com/blog/2015/08/21/shipping-an-app-with-app-transport-security/

Especially that part in the article seems to be of interest:

"However, that’s not quite enough to get a connection going to a server with a self-signed certificate. We’ll also need to inform the networking code in the app that it’s OK to have an invalid certificate. Assuming we’re using NSURLSession, we can do this with a delegate method:

func URLSession(session: NSURLSession, didReceiveChallenge challenge: NSURLAuthenticationChallenge, completionHandler: (NSURLSessionAuthChallengeDisposition, NSURLCredential?) -> Void) {
completionHandler(.UseCredential, NSURLCredential(trust: challenge.protectionSpace.serverTrust!))
}"

The question is now whether there is a possibility to have a option to set this in the code or to tell me how and where I could add this to the code as it is way out of my knowledge :slight_smile:

Thanks!
Joerg


#4

Nobody has an idea where to put this delegate function to temporally bypass the ATS?