Client Authentication request auto cancelled in Apple watch - tls1.2

I am trying to make TLS request for client authentication from a watch.
I found that the connection was cancelled immediately after the client (iwatch) provide the client certificate, by calling completionHandler(NSURLSessionAuthChallengeUseCredential, credential).
The error which I got is
"Error Domain=NSURLErrorDomain Code=-999 "cancelled" UserInfo={NSErrorFailingURLStringKey=serverurl, NSErrorFailingURLKey=serverurl, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <BB419DCD-C248-4F3E-8EEB-9AF3AA1A9256>.<1>",
"LocalDataPDTask <BB419DCD-C248-4F3E-8EEB-9AF3AA1A9256>.<1>",
"LocalDataTask <BB419DCD-C248-4F3E-8EEB-9AF3AA1A9256>.<1>"
), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <BB419DCD-C248-4F3E-8EEB-9AF3AA1A9256>.<1>, NSLocalizedDescription=cancelled}"
.
The request is cancelled by client itself....Its not reaching to server.
When I tried to run the same code on a iphone, it succeed.
I tried to run this api from both types of watch app independent and dependant.
Apart from this TLS request, all other requests work fine on the watch.
Is there anything specifically need to be configured for the watch for client authentication?
Is client authentication not supported in Apple watch? If that is the case It should even not support the api like SecPKS12Import then.

Related

Why I cannot access Firebase Storage

I'm using Firebase Storage to keep some files of my App. Suddenly I started to get an SSL errors on both iOS and Android platform and no idea what's the issue.
iOS :
NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://firebasestorage.googleapis.com:443/v0/b/XXXXX.appspot.com/o?delimiter=/, NSUnderlyingError=0x600002e81440 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9816, _kCFStreamErrorDomainKey=3, _kCFStr
FLTFirebaseStorage: An unknown error occurred while calling method Reference#listAll
Android :
V/NativeCrypto(16839): SSL handshake aborted: ssl=0xbd081f68: Failure in SSL library, usually a protocol error
V/NativeCrypto(16839): error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (third_party/openssl/boringssl/src/ssl/tls_record.cc:242 0x9b4e9d4c:0x00000000)
W/NetworkRequest(16839): error sending network request GET https://firebasestorage.googleapis.com/v0/b/XXXXXX.appspot.com/o
According to our investigations, USOM (National Cyber Incident Response Center) seems to block firebase cloud storage services. The issue is interestingly seemed to be related more with Turkish Government rather than Firebase. This explains why VPNs still work for accessing your files. ISP is blocked by the government in order not to reach storage services of google. I think someone (may be a responsible team in Google) need to reach them and illuminate that their action is weird and they should not block whole storage service for preventing an access to a file which they think is illegal..
Here you can check the block list:
https://www.usom.gov.tr/url-list.txt
you can search firebasestorage.googleapis.com, it is there.

Email sending stopped working on Siteground Cloud server

The Offload SES Lite plugin is super cool and it was working perfectly when my website is hosted with WP-Engine server. Now I moved my website to Siteground Cloud server and it stopped working. However, when I deactivated the plugin then again the email starts working but then it is delivering in spam/junk folder.
My DKIM and all TXT records are showing as verified on my Amazon AWS Console
Verification Status: verified
DKIM Status: verified
Enabled for Sending: Yes
This is the error message keep getting when I send test email from plugin's page:
Error executing "SendRawEmail" on "https://email.us-east-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://email.us-east-1.amazonaws.com` resulted in a `400 Bad Request` response: <ErrorResponse xmlns="http://ses.amazonaws.com/doc/2010-12-01/">
<Error> <Type>Sender</Type>
<Code>MessageReje (truncated...) MessageRejected (client): Sending paused for this account. For more information, please check the inbox of the email address associated with your AWS account. - <ErrorResponse xmlns="http://ses.amazonaws.com/doc/2010-12-01/">
<Error> <Type>Sender</Type>
<Code>MessageRejected</Code>
<Message>Sending paused for this account. For more information, please check the inbox of the email address associated with your AWS account.</Message>
</Error>
<RequestId>207abefe-4ed7-4013-9c11-4aa1f47c0f04</RequestId>
</ErrorResponse>
Please suggest what causing issue as this was working on previous server but stopped when we moved to new cloud server on siteground.
I also contacted the Siteground team and they are saying that the issue is from applications end but its not.
Thanks.
SiteGround VPS's by default often set the 'envelope-from' email header when left to their own devices, and they will set it to something that is not the same as the declaired 'From' email header you've defined. It will likely be fdo0gbo8mjhs#c54292.sgvps.net or something similar.
This will instantly make DKIM fail.
For any such DKIM rejection errors, you need to actively set the envelope-from value in your code.

FCM notification reply to server

There is a push notification service that sends a message from a web server to an app device. The app has onMessageReceived() method implemented. However, not all the messages are being delivered and I have read somewhere that the delivery_receipt_request field, when set to true then (FCM), replies to the server mentioning the message being either delivered or not. I want to know that how can I catch that reply from the app if the message is delivered to my sender's side code.
Option 1: Via XMPP
You need to run an XMPP client on your backend. This client should connect to FCM with your project parameters. You will then be able to process message delivery stanzas sent to you by FCM. Here are the baby steps:
Follow the steps in https://www.npmjs.com/package/node-xcs to setup the XMPP client, exporting environmental variables with your FCM project parameters.
You can send messages through there.
Listen for message delivery stanzas:
client.on('stanza', function(stanza) {
//HERE IS WHERE YOU PROCESS THE STANZA
console.log('Please process me. I AM, the stanza: ', stanza.toString())
})
The stanza you will get for message delivery will look like this:
<message id="">
<gcm xmlns="google:mobile:data">
{
"category":"com.example.yourapp", // to know which app sent it
"data":
{
“message_status":"MESSAGE_SENT_TO_DEVICE",
“original_message_id”:”m-1366082849205”
“device_registration_id”: “REGISTRATION_ID”
},
"message_id":"dr2:m-1366082849205",
"message_type":"receipt",
"from":"gcm.googleapis.com"
}
</gcm>
</message>
Currently only CCS (XMPP) supports upstream messaging. Knock yourself out.
Option 2: Via HTTP
Now, if you decide to use the FCM HTTP protocol instead to send the messages, then you will have to interpret the response that you get back when you make the HTTP call. You can tell whether the message was delivered or not by looking at the HTTP response header and the error in the body of the response. The structure of the response is described here: https://firebase.google.com/docs/cloud-messaging/http-server-ref#interpret-downstream
Again, knock yourself out.

BizTalk 2016: How to use HTTP Send adapter with API token

I need to make calls to a rest API service via BizTalk Send adapter. The API simply uses a token in the header for authentication/authorization. I have tested this in a C# console app using httpclient and it works fine:
string apiUrl = "https://api.site.com/endpoint/<method>?";
string dateFormat = "dateFormat = 2017-05-01T00:00:00";
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Add("token", "<token>");
client.DefaultRequestHeaders.Add("Accept", "application/json");
string finalurl = apiUrl + dateFormat;
HttpResponseMessage resp = await client.GetAsync(finalurl);
if (resp.IsSuccessStatusCode)
{
string result = await resp.Content.ReadAsStringAsync();
var rootresult = JsonConvert.DeserializeObject<jobList>(result);
return rootresult;
}
else
{
return null;
}
}
however I want to use BizTalk to make the call and handle the response.
I have tried using the wcf-http adapter, selecting 'Transport' for security (it is an https site so security is required(?)) with no credential type specified and placed the header with the token in the 'messages' tab of the adapter configuration. This fails though with the exception: System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
I have tried googling for this specific scenario and cannot find a solution. I did find this article with suggestions for OAUth handling but I'm surprised that even with BizTalk 2016 I still have to create a custom assembly for something so simple.
Does anyone know how this might be done in the wcf-http send adapter?
Yes, you have to write a custom Endpoint Behaviour and add it to the send port. In fact with the WCF-WebHttp adapter even Basic Auth doesn't work so I'm currently writing an Endpoint Behaviour to address this.
One of the issues with OAuth, is that there isn't one standard that everyone follows, so far I've had to write 2 different OAuth behaviours as they have implemented things differently. One using a secret and time stamp hashed to has to get a token, and the other using Basic Auth to get a token. Also one of them you could get multiple tokens using the same creds, whereas the other would expire the old token straight away.
Another thing I've had to write a custom behaviour for is which version of TLS the end points expects as by default BizTalk 2013 R2 tries TLS 1.0, and then will fail if the web site does not allow it.
You can feedback to Microsoft that you wish to have this feature by voting on Add support for OAuth 2.0 / OpenID Connect authentication
Maybe someone will open source their solution. See Announcement: BizTalk Server embrace open source!
Figured it out. I should have used the 'Certificate' for client credential type.
I just had to:
Add token in the Outbound HTTP Headers box in the Messages tab and select 'Transport' security and 'Certificate' for Transport client credential type.
Downloaded the certificate from the API's website via the browser (manually) and installed it on the local servers certificate store.
I then selected that certificate and thumbprint in the corresponding fields in the adapter via the 'browse' buttons (had to scroll through the available certificates and select the API/website certificate I was trying to connect to).
I discovered this on accident when I had Fiddler running and set the adapter proxy setting to the local Fiddler address (http://localhost:8888). I realized that since Fiddler negotiates the TLS connection/certificate (I enabled tls1.2 in fiddler) to the remote server, messages were able to get through but not directly between the adapter and the remote API server (when Fiddler WASN'T running).

unknown_ca when testing an API

I installed WSO2 APIM 1.9.0 on Windows Server 2012 with JDK 1.7.0_79. When I try to test an API with "Try Me," I get "no response from server." In the console I see an exception "Received fatal alert: unknown_ca".
If you are not using CA signed certs, the browse would not trust the default certs available in https://:8243 So what you need to do is, access https://:8243 from your browser separately and invoke. Then it should work.
Seems to be a SSL/HTTPS issue .
When testing on the /store , ensure you are on the HTTP port and not HTTPS.(the correct url will be on the log)
So if your offset = 0 , the admin console will be :
https://[ip]:9443/carbon
and the store :
http://[ip]:9763/store
If that does not work , paste the Api's HTTPS Request URL in your browser , accept the certificate and try again.

Resources