Certificate Transparency

Question

Created Nov ’18

Replies 1

Boosts 0

Views 2.5k

Participants 2

Hello,

I am trying to enable certificate transparency for the app I am developing but it keeps failing and I wonder is there an internal limitation that prevents me to do so. (Such as the year it is published, or anything else.)

This is the certificate that I am using: (it is from 2016, but the fact that it appears in CT logs makes it complient I think)

https://transparencyreport.google.com/https/certificates/%2BRI%2FTgSAjzukHqHgYcXqBu2RCfj5HDkXe35wBsKjAT4%3D

Sample code:

func makeRequest() {
        let url = URL(string: "https://prod-cvitalsapi.focuscura.com/api/disclaimer")!
        let session = URLSession.shared
        var request = URLRequest(url: url)
        request.httpMethod = "GET"
        
        //create dataTask using the session object to send data to the server
        let task = session.dataTask(with: request as URLRequest, completionHandler: { data, response, error in
            print("\(String(describing: error))")
        })
        task.resume()
}

Info.plist:

<key>NSAppTransportSecurity</key>
  <dict>
       <key>NSAllowsArbitraryLoads</key>
       <true/>
       <key>NSExceptionDomains</key>
       <dict>
            <key>focuscura.com</key>
            <dict>
                 <key>NSRequiresCertificateTransparency</key>
                 <true/>
                 <key>NSIncludesSubdomains</key>
                 <true/>
            </dict>
       </dict>
  </dict>

The error I get from the network request failure:

Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x6000022050e0>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fc18a02c600) s: *.focuscura.com i: COMODO RSA Domain Validation Secure Server CA>",
    "<cert(0x7fc18a02d000) s: COMODO RSA Domain Validation Secure Server CA i: COMODO RSA Certification Authority>",
    "<cert(0x7fc18a02da00) s: COMODO RSA Certification Authority i: AddTrust External CA Root>",
    "<cert(0x7fc18a02e200) s: AddTrust External CA Root i: AddTrust External CA Root>"
), NSUnderlyingError=0x600001e0da40 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x6000022050e0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc18a02c600) s: *.focuscura.com i: COMODO RSA Domain Validation Secure Server CA>",
    "<cert(0x7fc18a02d000) s: COMODO RSA Domain Validation Secure Server CA i: COMODO RSA Certification Authority>",
    "<cert(0x7fc18a02da00) s: COMODO RSA Certification Authority i: AddTrust External CA Root>",
    "<cert(0x7fc18a02e200) s: AddTrust External CA Root i: AddTrust External CA Root>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://prod-cvitalsapi.focuscura.com/api/disclaimer, NSErrorFailingURLStringKey=https://prod-cvitalsapi.focuscura.com/api/disclaimer, NSErrorClientCertificateStateKey=0})

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’18

Have you read the Certificate Transparency policy, published by Apple support?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0