When building iOS Anywhere applications if I set the worklight.server.url to an https address (doesn't matter which, just that it's https address) the application will then not be able to connect to the server when installed on the device, or any server even if changed in the settings. When trying to log in it brings up the loading message and then just fails with no error.
If I build the application pointed at an http address and then change it in the settings to the https it works fine. So it seems to be something specific to the built app.
Android and simulator both work fine.
Check your ssl certificate configuration on the Worklight server. https://www.ibm.com/support/knowledgecenter/en/SSZH4A_6.0.0/com.ibm.worklight.help.doc/admin/c_ssl_config.html
The issue was caused by ATS settings. The server was failing when Forward Secrecy was in use. I tested this using nscurl: receiving the following results:
TLSv1.2
ATS Dictionary:
{
NSExceptionDomains = {
"*customer-details*.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
};
};
}
2018-03-12 12:40:12.277 nscurl[21636:8171556] CFNetwork SSLHandshake failed (-9824)
2018-03-12 12:40:12.278 nscurl[21636:8171556] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fe06b62a410 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://*customer-details*.com/, NSErrorFailingURLStringKey=https://*customer-details*.com/, _kCFStreamErrorDomainKey=3}
I updated the info.plist file in the iphone native folder to match the below settings:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>*customer-details*.com</key>
<dict>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TSLv1.2</string>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
The important setting in my case being NSExceptionRequiresForwardSecrecy being set to false.
I originally overlooked this as NSAllowsArbitraryLoads was set to true but this doesn't seem to have an effect.
Related
I am trying to connect to a client's Oracle database over SSL using the managed ODP.NET provider. The client has provided a self-signed certificate which I have imported on the server. To test the connection, I created a console app which simply opens the connection then closes it. This works successfully. However, when trying the same simple connection from ASP.NET on the same server, I always get this error:
Oracle.ManagedDataAccess.Client.OracleException (0x80004005): Network Transport: SSL failure in parsing wallet location --->
OracleInternal.Network.NetworkException (0xFFFFE700): Network Transport: SSL failure in parsing wallet location
Here is the connection string:
Data Source=(DESCRIPTION=(ADDRESS=(PROTOCOL = TCPS)(HOST = xxx.xx.xx.xxx)(PORT = 3484))(CONNECT_DATA=(SERVER = DEDICATED)(SERVICE_NAME = TEST.CLIENT.COM)(SID = TEST))); User Id = userid; Password = pa55word;
In the config files, I point to a directory for the SQLNET settings:
<oracle.manageddataaccess.client>
<version number="*">
<settings>
<setting name="TNS_ADMIN" value="C:\Oracle\tnsfiles" />
</settings>
</version>
</oracle.manageddataaccess.client>
And finally these settings from sqlnet.ora in that directory:
SQLNET.AUTHENTICATION_SERVICES=(BEQ,TCPS)
ENCRYPTION_WALLET_LOCATION = (SOURCE=(METHOD=MCS))
WALLET_LOCATION= (SOURCE=(METHOD=MCS))
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 1.2
Is there any reason why the connection from the console app succeeds, but from ASP.NET it fails on a wallet error? They are using the exact same settings. I tried a lot of different things but I welcome any suggestions.
I have just installed an intermediate & primary SSL certificate on my VPS. Everything is working well, except when I make a cfhttp call:
<cfhttp url="https://advert.establishmindfulness.com/ad-zone-1/?categoryid=1" method="get" result="adzone" />
<cfdump var="#adzone#" />
From https://app.establishmindfulness.com to https://advert.establishmindfulness.com. These 2 subdomains are on the same server, and I am using a wildcard SSL certificate:
*.establishmindfulness.com
That covers all sub domains.
VPS environment
OS: Windows 2008R2 with IIS7
Application server: Lucee 4.5.2.018 final
Servlet Container: Apache Tomcat/8.0.28
Java: 1.8.0_66 (Oracle Corporation) 64bit
Do I need to install the intermediate.crt & primaryssl.crt into my keystore cacerts? Is this the problem?
I tried just installing the certificate.cer that I grabbed from Internet Explorer, but maybe this is the wrong approach?
I still get the error:
Error Detail
Unknown host: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
OK. For anyone who comes across this issue, instead of having to spend several hours pulling your hair out, I managed to get the connection to work:
This is taken from the following link:
https://groups.google.com/forum/#!topic/lucee/BPm8vYdgkPQ
Thank you Dominic Watson
I've just tried this and got it working:
Log in to Lucee server admin and navigate to "SSL Certificates"
Enter your host name "establishmindfulness.com" in the Host field (without the quotes)
Hit "list" button
Hit "install" button
That's it. The cfhttp call started working.
I was needing to view the backend https requests made by my androidTV's application, but, as the calls are "https" calls I am needing to install a charles certificate (on my androidTV) to allow charles to decrypt them.
If anyone knows how to install a certificate on androidTV please tell me.
Thanks a lot!
I wrote an article on this: https://zahidrasheed.medium.com/charles-proxy-with-androidtv-fedc863e7039
TLDR;
1- Export root certificate from charles app and put it under res/raw by:
Help > SSL Proxying > Save Charles Root Certificate… and save it as charles_ssl_cert.pem file.
2- Embed the certificate in the app through network-security-config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="system" />
<certificates src="#raw/charles_ssl_cert" />
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
3- Export the root certificate again by:
Help > SSL Proxying > Export Charles Certificate and Private Key
Now share the .p12 file with users who would like to test the app. The need to:
Proxy > SSL Proxying Settings > Root Certificate > Import P12 (Enter the password you used above).
You can install SSL certs in the Android Emulator through ADB, given that you use an emulator image without Google Play Services. This will allow you to root your emulator and push the certificate to the cacerts directory in /system. This means you can install SSL certificates on AndroidTV even though there is no UI for this available in settings.
To install your certificate in the emulator, follow these steps:
Get an Android (TV) emulator without Play Services and give it a convenient name
Go to $ANDROID_HOME/emulator and run ./emulator #<emulatorname> -writable-system. If you run the emulator through Android Studio, you won't be able to mount the system partition as writable.
adb root
adb remount
openssl x509 -inform PEM -subject_hash_old -in <your certificate>.pem | head -n 1 , this will give you a hash you'll need in the following steps
Rename <your certificate>.pem to <hash>.0 (e.g. 711d79cc.0)
adb push <hash>.0 /system/etc/security/cacerts/<hash>.0
adb shell chmod 644 /system/etc/security/cacerts/<hash>.0
You can do it programmatically. See here for more details. I haven't found an option to do it from the Android TV UI unfortunately.
EDIT: Even that fails with
android.content.ActivityNotFoundException: Unable to find explicit activity class {com.android.settings/com.android.settings.CredentialStorage}; have you declared this activity in your AndroidManifest.xml?
So I don't know how to do this...
This has been asked before but I am completely stuck and nothing so far has worked for me that has been listed in other questions. While this refers to Identity Server I think i have missed something in setting SSL up.
I have setup as follows (this is with IIS express not full IIS):
Identity Server app: auth.testhost.com:44373/core
Web API service: https://localhost:44356/
I get the error in the title on the line:
app.UseIdentityServerBearerTokenAuthentication(options);
This is basically requesting some open configuration options from the server at auth.testhost.com:44373/core/.well-known/openid-configuration.
My options are:
Authority = "https://auth.testhost.com:44373/core",
RequiredScopes = new List<string>() { "api" }
In some examples I see a client id and secret, but they are not available in the options for me: is this a problem?
If you need to see any identity server options please say and I'll post.
I ran the following command to create a cert:
makecert.exe -r -pe -n "CN=auth.testhost.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048
This generated the certificate, which I then exported to Trusted Root Certification Authorities.
From what I can tell, the SSL port bindings should be handled by Visual Studio as I am using IIS Express. Below are the bindings it has:
<site name="Authenticator_V2" id="2">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="c:\users\user\documents\visual studio 2015\Projects\Authenticator_V2\Authenticator_V2" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:49755:localhost" />
<binding protocol="https" bindingInformation="*:44373:localhost" />
<binding protocol="https" bindingInformation="*:44373:auth.testhost.com" />
</bindings>
</site>
<site name="APIClient2" id="7">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\Users\user\documents\visual studio 2015\Projects\Authenticator_V2\APIClient2" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:53812:localhost" />
<binding protocol="https" bindingInformation="*:44356:localhost" />
</bindings>
</site>
This is my hosts file:
127.0.0.1 localhost
127.0.0.1 hybrid.testhost.com
127.0.0.1 auth.testhost.com
When I go to https://auth.testhost.com:44373/ I still have a red line through my protocol. I assume this means something has not been configured correctly still. I am using Chrome and clicking on the certificate gives:
"Your connection to this site is not private."
Details:
SHA-1 Certificate
The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.
View certificate
Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
I looked at the ERR_CERT_COMMON_NAME_INVALID error and it seems that is a chrome bug. However my error is being thrown from the web services server trying to connect to the authentication server so I think I can ignore this one???
I also ran netsh to check there was a cert binding set up:
netsh http show sslcert ipport=0.0.0.0:44373
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:44373
Certificate Hash : HAS ODD HASH - REMOVED
Application ID : {HAS GUID - REMOVED}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
At this point a noticed this hash is not the right one for my certificate. It is for the IIS Express localhost. I found this link: IdentityServer: The remote certificate is invalid according to the validation procedure and copied the steps to move the localhost certificate into the Trusted Root Certification Authorities but unfortunately I still have the error. I now am not sure what else to do.
Scope Configuration:
new Scope
{
Name = "api",
DisplayName = "Can call API",
Enabled = true,
Type = ScopeType.Resource
//ScopeSecrets = new List<Secret> { }
}
All my clients have this scope.
Thanks
This issue was fixed by upgrading all but IdentityModel.Jwt to latest versions, which gave the options to set the Certificate and Issuer Name on the bearer options. Both of these were required to be set for the error to go away
I am developing a website with Symfony2 on a localhost[Wamp] running on Windows, I need for login to the sitewith HWIOAuthBundle[facebook, Google] but everytime when I click on login I get this error message:
SSL certificate problem: unable to get local issuer certificate
How I can avoid this message for the moment?
Download the file http://curl.haxx.se/ca/cacert.pem
and add this to your php.ini
curl.cainfo="path/to/your/cacert.pem"
and restart your server !
(see this answer)
download curl ca cert:
http://curl.haxx.se/ca/cacert.pem
export CURL_CA_BUNDLE="cacert.pem"