Making HTTPS request in iOS 9 with self-signed certificate

I want to make an HTTPS request to custom server with self-signed certificate. I’m using NSURLConnection class and processing authentication challenges, but always receive error message in a console:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

then method “connection:didFailWithError:” gets called with the following error:

  • How to retrieve the ssl server certificate in iOS?
  • Verify return code: 20 (unable to get local issuer certificate)
  • Charles proxy SSL connections won't show hostnames, only ips
  • making CSR certificates in Windows (7)
  • Getting client certificate to work for mutual authentication using Swift 3 and Alamofire 4
  • 'openssl/conf.h' file not found error on MacOS Sierra
  • Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x150094100>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=<CFArray 0x1500ddd90 [0x19f6dab68]>{type = immutable, count = 1, values = (
        0 : <cert(0x14e6fb370) s: (server certificate name) i: (custom CA name)>
    )}, NSUnderlyingError=0x1504ae170 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://217.92.80.156:9090/(method name and parameters), NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, kCFStreamPropertySSLPeerCertificates=<CFArray 0x1500ddd90 [0x19f6dab68]>{type = immutable, count = 1, values = (
        0 : <cert(0x14e6fb370) s: (server certificate name) i: (custom CA name)>
    )}, _kCFStreamPropertySSLClientCertificateState=2, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x150094100>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamPropertySSLClientCertificates=<CFArray 0x14e5ee8e0 [0x19f6dab68]>{type = mutable-small, count = 2, values = (
        0 : <SecIdentityRef: 0x15012cd40>
        1 : <cert(0x15014aa70) s: (client certificate name) i: (custom CA name)>
    )}, _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://217.92.80.156:9090/(method name and parameters), _kCFStreamErrorCodeKey=-9802}}, NSErrorClientCertificateChainKey=<CFArray 0x14e5ee8e0 [0x19f6dab68]>{type = mutable-small, count = 2, values = (
        0 : <SecIdentityRef: 0x15012cd40>
        1 : <cert(0x15014aa70) s: (client certificate name) i: (custom CA name)>
    )}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://217.92.80.156:9090/(method name and parameters), NSErrorFailingURLStringKey=https://217.92.80.156:9090/(method name and parameters), NSErrorClientCertificateStateKey=2}
    

    App receives two authentication challenges (NSURLAuthenticationMethodClientCertificate and NSURLAuthenticationMethodServerTrust) and processes them in a following manner:

    - (void) connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
    {
        if(challenge.proposedCredential && !challenge.error)
        {
            [challenge.sender useCredential:challenge.proposedCredential forAuthenticationChallenge:challenge];
    
            return;
        }
    
        NSString *strAuthenticationMethod = challenge.protectionSpace.authenticationMethod;
        NSLog(@"authentication method: %@", strAuthenticationMethod);
    
        NSURLCredential *credential = nil;
        if([strAuthenticationMethod isEqualToString:NSURLAuthenticationMethodClientCertificate])
        {
            // get identity and certificate from p.12
            NSData *PKCS12Data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"]];
    
            NSDictionary *optionsDictionary = [NSDictionary dictionaryWithObject:@"password" forKey:(__bridge id)kSecImportExportPassphrase];
            CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
            OSStatus securityError = SecPKCS12Import((__bridge CFDataRef)PKCS12Data,(__bridge CFDictionaryRef)optionsDictionary, &items);
    
            SecIdentityRef identity = NULL;
            SecCertificateRef certificate = NULL;
            if(securityError == errSecSuccess)
            { 
                CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex(items, 0);
                identity = (SecIdentityRef)CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemIdentity);
    
                CFArrayRef array = (CFArrayRef)CFDictionaryGetValue(myIdentityAndTrust, kSecImportItemCertChain);
                certificate = (SecCertificateRef)CFArrayGetValueAtIndex(array, 0);
            }
    
            credential = [NSURLCredential credentialWithIdentity:identity certificates:[NSArray arrayWithObject:(__bridge id)(certificate)] persistence:NSURLCredentialPersistenceNone];
    
            CFRelease(items);
        }
        else if([strAuthenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
        {       
            int trustCertificateCount = (int)SecTrustGetCertificateCount(challenge.protectionSpace.serverTrust);
            NSMutableArray *trustCertificates = [[NSMutableArray alloc] initWithCapacity:trustCertificateCount];
            for(int i = 0; i < trustCertificateCount; i ++)
            {
                SecCertificateRef trustCertificate =  SecTrustGetCertificateAtIndex(challenge.protectionSpace.serverTrust, i);
                [trustCertificates addObject:(__bridge id) trustCertificate];
            }            
    
            SecPolicyRef policyRef = NULL;
            policyRef = SecPolicyCreateSSL(YES, (__bridge CFStringRef) challenge.protectionSpace.host);
    
            SecTrustRef trustRef = NULL;
            if(policyRef)
            {
                SecTrustCreateWithCertificates((__bridge CFArrayRef) trustCertificates, policyRef, &trustRef);
                CFRelease(policyRef);
            }
    
            if(trustRef)
            {
    //          SecTrustSetAnchorCertificates(trustRef, (__bridge CFArrayRef) [NSArray array]);
    //          SecTrustSetAnchorCertificatesOnly(trustRef, NO);
    
                SecTrustResultType result;
                OSStatus trustEvalStatus = SecTrustEvaluate(trustRef, &result);
                if(trustEvalStatus == errSecSuccess)
                {
                    // just temporary attempt to make it working.
                    // i hope, there is no such problem, when we have final working version of certificates.
                    if(result == kSecTrustResultRecoverableTrustFailure)
                    {
                        CFDataRef errDataRef = SecTrustCopyExceptions(trustRef);
                        SecTrustSetExceptions(trustRef, errDataRef);
    
                        SecTrustEvaluate(trustRef, &result);
                    }
    
                    if(result == kSecTrustResultProceed || result == kSecTrustResultUnspecified)
                        credential = [NSURLCredential credentialForTrust:trustRef];
                }
    
                CFRelease(trustRef);
            }
        }
        else
        {
            DDLogWarn(@"Unexpected authentication method. Cancelling authentication ...");
            [challenge.sender cancelAuthenticationChallenge:challenge];
        }
    
        if(credential)
            [challenge.sender useCredential:credential forAuthenticationChallenge:challenge];
        else
            [challenge.sender cancelAuthenticationChallenge:challenge];
    }
    

    In CFNetwork diagnostic log i can see that Handshake procedure is about to be started. At least app sends “ClientHello” message, then server sends its “ServerHello” message and requires for authentication. And here app tries to send authentication response, but immediately receives error. (At the same time, in server logs i don’t see any messages about handshake at all). Here is part of diagnostic log:

    Sep 15 10:51:49  AppName[331] <Notice>: CFNetwork Diagnostics [3:49] 10:51:49.185 {
        Authentication Challenge
           Loader: <CFURLRequest 0x1501931c0 [0x19f6dab68]> {url = https://217.92.80.156:9090/(method name and parameters), cs = 0x0}
        Challenge: challenge space https://217.92.80.156:9090/, ServerTrustEvaluationRequested (Hash f9810ad8165b3620)
        } [3:49]
    Sep 15 10:51:49  AppName[331] <Notice>: CFNetwork Diagnostics [3:50] 10:51:49.189 {
        Use Credential
            Loader: <CFURLRequest 0x1501931c0 [0x19f6dab68]> {url = https://217.92.80.156:9090/(method name and parameters), cs = 0x0}
        Credential: Name: server, Persistence: session
        } [3:50]
    Sep 15 10:51:49  AppName[331] <Notice>: CFNetwork Diagnostics [3:51] 10:51:49.190 {
         touchConnection
                  Loader: <CFURLRequest 0x1501931c0 [0x19f6dab68]> {url = https://217.92.80.156:9090/(method name and parameters), cs = 0x0}
        Timeout Interval: 60.000 seconds
        } [3:51]
    Sep 15 10:51:49  AppName[331] <Notice>: CFNetwork Diagnostics [3:52] 10:51:49.192 {
        Response Error
        Request: <CFURLRequest 0x14e5d02a0 [0x19f6dab68]> {url = https://217.92.80.156:9090/(method name and parameters), cs = 0x0}
          Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFNetworkCFStreamSSLErrorOriginalValue=-9802, kCFStreamPropertySSLPeerCertificates=<CFArray 0x1500ddd90 [0x19f6dab68]>{type = immutable, count = 1, values = (
                    0 : <cert(0x14e6fb370) s: (server certificate name) i: (custom CA name)>
                 )}, _kCFStreamPropertySSLClientCertificateState=2, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x150094100>, _kCFStreamPropertySSLClientCertificates=<CFArray 0x14e5ee8e0 [0x19f6dab68]>{type = mutable-small, count = 2, values = (
                    0 : <SecIdentityRef: 0x15012cd40>
                    1 : <cert(0x15014aa70) s: (client certificate name) i: (custom CA name)>
                 )}, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802}
        } [3:52]
    

    Our back-end instance can be installed on customer side, so i can’t set any domain exception in Info.plist file. Also app may request server by IP address in IPv4 form, but not by domain name (as it is in my example).

    What have i tried:

    • used NSURLSession instead of NSURLConnection, but without any success;
    • checked Apple’s ATS requirements for server implementation here (back-end developer is sure that his implementation meets all of them);
    • played with setting anchor certificates for trust validation in accordance with various solved issues from stackoverflow and Apple’s developer forums;
    • paid attention particularly to similar post and its related solution at developer forums;

    I’m testing https request on iPad Air 2 with iOS 9 GM Seed (Build 13A340) and xCode 7 GM Seed (Build 7A218). Important note: this functionality works fine with iOS 8. Taking that into account i may assume, that problem is in our server, but our back-end developer assured me that there everything is fine.

    Now i’m out of ideas. I would appreciate if anyone can give me a hint, or at least suggest some other diagnostic, which would reveal particular error, more specific than “fatal alert”.

    Thanks.

    EDIT 1: SecTrustEvaluate always returns kSecTrustResultRecoverableTrustFailure, that is why i had to find some kind of workaround.

    4 Solutions Collect From Internet About “Making HTTPS request in iOS 9 with self-signed certificate”

    Have you used nscurl to diagnose the connection issue? If you have a Mac running OS X v10.11 you can run something like this:

    /usr/bin/nscurl --ats-diagnostics https://www.yourdomain.com
    

    Alternatively, if you don’t have 10.11, you can download the sample code here: https://developer.apple.com/library/mac/samplecode/SC1236/ and build it with XCode and run it like this (changing the path as appropriate for your machine):

    /Users/somebody/Library/Developer/Xcode/DerivedData/TLSTool-hjuytnjaqebcfradighsrffxxyzq/Build/Products/Debug/TLSTool s_client -connect www.yourdomain.com:443
    

    (To find the full path for the above, after you’ve built, open the Products group in your Project Navigator, right click on TLSTool, and “Show in Finder”.)

    You already linked to Apple’s technote on this subject, https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/ but you didn’t say if you ran nscurl or not.

    According to this: https://forums.developer.apple.com/message/36842#36842

    The best approach to fix HTTP load failed (kCFStreamErrorDomainSSL, -9802) is to set an exception in the info.plist file as follows:

    <key>NSAppTransportSecurity</key>
    <dict>
      <key>NSExceptionDomains</key>
      <dict>
        <key>test.testdomain.com</key>
        <dict>
          <key>NSIncludesSubdomains</key>
          <true/>
          <key>NSExceptionAllowsInsecureHTTPLoads</key>
          <true/>
        </dict>
      </dict>
    </dict>
    

    The important point is that this is not less secure than iOS8, just not as secure as full ATS supported by iOS9.

    I just met the same problem with ur’s.Now i fixes it.It is because the tls version and the certificate sign.As the apple’s document say below
    apple’s document

    So i do this thing
    info.plist setting

    and it works

    This issue was solved some time ago. It turned out to be invalid self-signed certificate. It didn’t meet all requirements from Apple. Unfortunately i don’t know, what exactly it was.