Swift, SSL Self Signed certificate IOS8+

Question

Dhaval Shah OP

Created Aug ’15

Replies 4

Boosts 0

Views 7.7k

Participants 2

Hi,

I want to implement the SSL in webservice call. But having an error as below:

NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

My code Below

func checkNetworkConnection(callback: ((isConnected: Bool) -> Void)!)

{

var checkNetworkURL: String = “TESTURL”

var request = NSMutableURLRequest(URL: NSURL(string: checkNetworkURL)!)

request.HTTPMethod = "POST"

request.addValue("application/xml", forHTTPHeaderField: "Content-Type")

request.addValue("application/xml", forHTTPHeaderField: "Accept")

request.timeoutInterval = 20000.0

var response: NSURLResponse?

var error: NSError?

var data = NSURLConnection.sendSynchronousRequest(request, returningResponse: &response, error: &error)

if error == nil{

if data != nil{

self.parser.getLoginResultDataDictionary(data!) {(dataDictionary) -> Void in

if let dataDict = dataDictionary[self.constants.defaultsKeys.RESPONSE_RESULT] as? Dictionary<String,String>

{

if let status: AnyObject = dataDict[self.constants.defaultsKeys.RESPONSE_STATUS] {

if status as! String == self.constants.defaultsKeys.RESPONSE_SUCCESS {

callback(isConnected: true)

}

else{

callback(isConnected: false)

}

else{

callback(isConnected: false)

}

else{

callback(isConnected: false)

}

else{

callback(isConnected: false)

}

else{

callback(isConnected: false)

}

/

}

Method added

public func connection(connection: NSURLConnection, willSendRequestForAuthenticationChallenge challenge: NSURLAuthenticationChallenge)

{

challenge.sender.useCredential(NSURLCredential(forTrust: challenge.protectionSpace.serverTrust), forAuthenticationChallenge: challenge)

challenge.sender.continueWithoutCredentialForAuthenticationChallenge(challenge)

}

Added Delegate as below

public class NetworkUtil : NSObject, NSURLConnectionDelegate { }

How can i configure SSL in the above code?

Thanks,

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’15

OK, lots of points to cover here:

I’ve moved your thread to Core OS > Networking as this question is more about networking than it is about Swift.
If you’re writing new code you should use NSURLSession rather than NSURLConnection; we’re in the process of deprecating the latter in favour of the former.
You should read up on App Transport Security because that’s likely to impact on your product in the very near future.
Error -9813 is
```
errSSLNoRootCert
```
, implying that you really do have an HTTPS server trust evaluation problem. Technote 2232 HTTPS Server Trust Evaluation covers that topic in detail.
You’re calling NSURLConnection synchronously (using the
```
+sendSynchronousRequest:xxx
```
method). This is a bad idea in general for all sorts of reasons. I strongly recommend that you move to an async API. In fact, if you switch to NSURLSession you’ll find that it has no sync API.
With regards your attempted solution, the problem you’re having is that
```
-connection:willSendRequestForAuthenticationChallenge:
```
is an NSURLConnection delegate method and that will only get called if your object is the NSURLConnection delegate. However, you’re using the NSURLConnection synchronous API which doesn’t let you specify a delegate. You can get around this in two ways:
- switch to the NSURLConnection async API, where you can specify a delegate
- switch to NSURLSession, where you can use its convenience APIs and have a delegate

With all of that out of the way, let’s take a look at the big picture. And the most important question here is, why are you using a self-signed certificate? It’s the presence of the self-signed certificate that’s causing you grief here, so if you get rid of that then this problem goes away.

If you’re using a self-signed certificate just for testing purposes, you should replace the server identity with one issued by your own testing CA. You can then install your testing CA’s root certificate on your device and thus avoid this whole issue. Technote 2326 Creating Certificates for TLS Testing explains how to do that.

This approach has two key advantages:

You don’t need to write extra code to handle your test environment.
There’s no possibility of that extra code being left in your production app. A surprisingly number of apps (including some really big name ones) use HTTPS but accidentally leave server trust evaluation disabled, which is a serious security bug.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

Dhaval Shah OP

Aug ’15

THanks eskimo.

Does that mean if we have SSL certificate with public key. We dont have to change our code?

0

Answer 3

DTS Engineer OP

Apple

Aug ’15

Does that mean if we have SSL certificate with public key.

I presume you mean “HTTPS server certificate that’s trusted by the system by default”. All certificates contain a public key, even self-signed ones.

We dont have to change our code?

If the HTTPS server certificate is trusted by the system then you don’t need to override HTTPS server trust evaluation. That would allow your code as written to work. You’ll also be able to remove all the

willSendRequestForAuthenticationChallenge

goo, because that’s both ineffective and would be unnecessary.

While NSURLConnection is being deprecated, and we advise against using synchronous APIs for networking, such techniques do still work and we expect them to continue to work for the foreseeable future.

The one gotcha is App Transport Security; as soon as you adopt the iOS 9 SDK you will have to worry about that.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

Dhaval Shah OP

Aug ’15

Thanks Eskimo.

I will have to check weather that certificate is trusted or not.

But self signed certificate waa not trusted and we have mark it as trust

0