How to debug CFNetwork SSLHandshake failed (-9824) in Mac Os X? - nsurlconnection

My Mac Os X app needs to access different servers in Brazil and one of the servers seems to have an sslv3 issue. It seems that access thru MS Windows solutions is normal. I tried using Internet Explorer and it works. This is an example of what Firefox shows me:
I have written a sample app at http://www.idanfe.com/trustAuthenticationTester.zip that demonstrates that method - (void)connection:(NSURLConnection *)aConnection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)aChallenge is not called at all when talking to the server https://nfe.sefaz.ce.gov.br/nfe2/services/NfeStatusServico2, but I works fine with server https://nfe.sefazvirtual.rs.gov.br/ws/NfeStatusServico/NfeStatusServico2. The purpose is to customize the server trust evaluation. But at this point it is not possible.
These are the error I get:
CFNetwork SSLHandshake failed (-9824)
CFNetwork SSLHandshake failed (-9802)
CFNetwork SSLHandshake failed (-9802)
NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Thanks.

Latest version of OS X require TLSv1.2 SSL in the host server and hence the SSL fails. You can set exceptions in your info.plist file.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>BrazilServer.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
Also NSURLConnection is deprecated and you should switch to NSURLSession instead, as there are bugs with handling the exceptions in the info.plist and NSURLConnection.
Should you want to get more info about the error you can set the CFNETWORK_DIAGNOSTICS environment variable under the schema setting to 1, and the log will produce more exact results of what is happening during the SSL handshake.

Related

Turnserver showing WebSocket open error: WebSocket error after trying to join a room

My app has 1:1 video calling feature and for that I set up my own turnserver. The turnserver was running perfectly till yesterday. When I try to call from app, turnserver rejects. I tried turnserver url from browser, it shows something like this,
Immediately, I logged collidermain, it shows
root#<machine_name>:~# <timestamp> Starting collider: tls = true, port = 8443, room-server=https://<mydomain>.com
<timestamp> http: TLS handshake error from 182.160.105.186:43243: remote error: tls: unknown certificate
And this kept showing up everytime, my app try to connect with turnserver.
Thought, ssl certificates got something to do with it, replaced ssl certificates, tried re-installing collidermain, restarting google-cloud-sdk, turnserver, collidermain. Still no luck.
Got two similar questions on stakoverflow.
WebSocket open error: WebSocket error, This is not chrome bug, because I got other two turnserver running perfectly fine at the time I am writing this and server health is pretty good
Websocket open error, websocket register error This is not working too. I re-installed collider. No luck
My question is, what is the root cause of this error and how to fix it?
System spces:
OS: Ubuntu 20.04
AppRTC code running with Google-cloud-sdk, version: 330.0.0
Turnserver version: 4.4.3
Signalling server: collidermain
Certificate issued with let's encrypt certbot
It's solved! Here's what happend.
I copied the certificates issued by certbot into another directory /cert/
and in turnserver.conf file, I pointed certificate path to /cert/ directory. So it worked fine for a while. Certbot certificates are valid for 3 months and it's renew automatically when validity expires. So, certbot renewed certificates and put it into /etc/letsencrypt/live/:domain_name/. turnserver.conf still pointing to outdated certificates resides in /cert/ directory. That's why when I try to join a room, turnserver using outdated certificates and shows TLS handshake error
So, I just changed certificate path from /cert/ to /etc/letsencrypt/live/:domain_name/ in turnserver.conf, it's back online! Yay!!

Allow HTTP download in Android Studio

I am getting the following error in Android Studio:
> Could not download builder-4.1.2.jar (com.android.tools.build:builder:4.1.2)
> Could not get resource 'http://10.252.250.53:8081/lm/content/groups/public/com/android/tools/build/builder/4.1.2/builder-4.1.2.jar'.
> Could not GET 'http://10.252.250.53:8081/lm/content/groups/public/com/android/tools/build/builder/4.1.2/builder-4.1.2.jar'.
> Connect to 10.252.250.53:8081 [/10.252.250.53] failed: Connection timed out: connect
I am able to download the file from that link in a browser. So I believe the issue is that Android Studio is not allowing HTTP download.
Please guide.
The file you download is quite outdated; this is version 7.0.2 meanwhile.
Either add a self-signed SSL certificate to 10.252.250.53:8081 + local machine and define a proxy:
systemProp.https.proxyHost=10.252.250.53
systemProp.https.proxyPort=8081
Or downgrade back to Gradle < 7.0 ...if you really want to use HTTP (which is merely dead already).

Exporting a Developer-ID-signed app bundle with Xcode 9

I'm trying to export a Developer-ID-signed app bundle from a post-build trigger in a bot on Xcode 9.1, but I can't get it to pass through Gatekeeper without having to use the right-click-in-Finder workaround.
As suggested by this answer, I tried running codesign -dvv /path/to/my.app and I get this output (server and team IDs have been *'d out):
Executable=/path/to/my.app/Contents/MacOS/myapp
Identifier=com.abbey-code.myapp
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=29403 flags=0x0(none) hashes=911+5 location=embedded
Signature size=4630
Authority=Mac Developer: OS X Server (**********)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Nov 20, 2017, 5:48:21 PM
Info.plist entries=35
TeamIdentifier=**********
Sealed Resources version=2 rules=13 files=141
Internal requirements count=1 size=184
The answer above suggests I should see Developer ID Certification Authority, but I only see "Mac Developer" as teh root authority. I'm invoking xcodebuild with these arguments:
xcodebuild -verbose -exportArchive -exportOptionsPlist exportOptions.plist -archivePath, /path/to/xcarchive, -exportPath, /path/to/place/exported/appbundle
My exportOptions.plist looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>method</key>
<string>mac-application</string>
<key>signingCertificate</key>
<string>Developer ID Application</string>
<key>signingStyle</key>
<string>automatic</string>
</dict>
</plist>
My bot is signed into my developer account, and is set to manage certificates automatically. I have also tried launching Xcode on the server, signing into my account, downloading a Developer ID certificate, and clicking the "Add to Server" button from the Edit Bot sheet.
What am I doing wrong?
My export options plist was incorrect. I was able to use the following successfully:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>method</key>
<string>developer-id</string>
<key>signingStyle</key>
<string>automatic</string>
</dict>
</plist>
I can confirm that manually adding the Developer ID certificate to the server in the Bot configuration is required for this to work. For some reason, it doesn't automatically acquire that one.

SSL handshake issues with APNS on IBM worklight 6.1 running on CentOS 6

We are running into SSL handshake issues with APNS on IBM worklight 6.1 running on CentOS 6.
We do not face any SSL related issues on Mac probably due to the fact that the required p12 cert is already present in the keychain on the OS.
The error encountered is:
com.notnoop.apns.internal.ApnsFeedbackConnection Failed to retreive invalid devices
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: End user tried to act as a CA
We have place the generated p12 file in the "apps" directory of worklight.
Not sure if this is the right way and worklight will pick this up.
We have verified that the p12 and the corresponding generated .pem file is fine by executing the following command and getting a "CONNECTED" response from apple servers:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev-cert.pem -debug -showcerts -CAfile server-ca-cert.pem
Which makes me think that worklight may not be finding the correct p12 cert.
Also as we've read, worklight uses the "notnoop" library for APNS communication; and notnoop requires the location of the p12 to be defined.
Where do we specify this path? Is it in some configuration file of worklight?
Thanks!
If you are using IBM JDK 7, then it is a known bug which is fixed in IBM JDK 7.0.0 SR6. Either you can try with IBM JDK 7 SR6 onwards OR try replacing jre\lib\security\cacerts file in JDK 7 with jre\lib\security\cacerts file in JDK 6
Reference: http://www-01.ibm.com/support/docview.wss?uid=swg1IV43936

Xcode - can't build app for production with aps-environment set to production

I am getting this message when setting "aps-environment" to "production" in my entitlements.plist file:
The executable was signed with invalid entitlements.
The entitlements specified in your application’s Code Signing Entitlements file do not match those specified in your provisioning profile.
(0xE8008016).
My entitlements:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>keychain-access-groups</key>
<array>
<string>123.*</string>
</array>
<key>application-identifier</key>
<string>123.com.app.mine</string>
<key>aps-environment</key>
<string>production</string>
</dict>
</plist>
you need to use a valid distribution certificate for the app ID -- and it can't be a wildcard one
First go to developer.apple.com login in member centre select manage profile, certificate section.
1) create Certificate of type distribution (if you want it to upload to App Store)
2) create app id you should enter same package name as specified in your application
3) create provisional profile with the same certificate and app identifier which you had
already created.
4) download certificate and profile
5) go to build setting of your application target and select the particular profile and certificate which you had downloaded.
Hope it will resolve your issue

Resources