2

I've read every answer I could find on this topic, but I'm still having issues with a self-signed certificate running on localhost. My iOS test is very simple:

Alamofire.request("https://localhost:4567/hello").responseJSON { (dataRes) in
  guard let jsonData = dataRes.data else { return }
  NSLog("Received JSON: \(jsonData)")
}

Which results in the output:

2016-11-06 10:59:12.566 Chatty[20454:772766] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
2016-11-06 10:59:12.583 Chatty[20454:772681] Received JSON: 0 bytes

With the following Info.plist:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <false/>
    <key>NSExceptionDomains</key>
    <dict>
        <key>localhost:4567</key>
        <dict>
            <key>NSAllowsArbitraryLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

I've also tried it without the port, and I even tried the dreaded:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Which fails with a different error code (-9813)

2016-11-06 11:01:22.773 Chatty[20750:776671] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

Other apps (like my Mocha tests) connect fine, as does Safari:

Simulator Image

Ideally I would like to update my iOS simulator to accept only this self-signed certificate (I have the .cer file, and have even dragged it into the simulator and 'trusted' it with no apparent effects), however I would also be okay with an exclusion for localhost if that's the only way - but can't seem to get either to work.

What am I missing?

Edit: Updating my Info.plist to the following also left me with -9802 as the error code:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>localhost:4567</key>
        <dict>
            <key>NSAllowsArbitraryLoads</key>
            <true/>
            <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>
Forge
  • 6,538
  • 6
  • 44
  • 64
Craig Otis
  • 31,257
  • 32
  • 136
  • 234
  • Maybe try using port `8080` or port `443`... – l'L'l Nov 06 '16 at 16:14
  • I updated both the web server and the iOS app to run on `8080`, with no change. – Craig Otis Nov 06 '16 at 16:15
  • You might need to add the `NSThirdPartyExceptionAllowsInsecureHTTPLoads` key and set it to true. (ie. `NSAppTransportSecurity` > `NSExceptionDomains` > `your.domain.com` > `NSThirdPartyExceptionAllowsInsecureHTTPLoads` > `YES`). – l'L'l Nov 06 '16 at 16:22
  • Also, I think the first `NSAllowsArbitraryLoads` > `False` you have is globally set, so it's overriding the `NSExceptionDomains` that follows it. – l'L'l Nov 06 '16 at 16:36
  • @l'L'l Unfortunately those changes left me with `-9802` as well - question updated with the final `Info.plist` I tried using. – Craig Otis Nov 06 '16 at 16:46
  • It seems the problem is more on the server side from the looks of it... the error (-9813) is "NSOSStatusErrorDomain errSSLNoRootCert", https://developer.apple.com/library/content/technotes/tn2232/_index.html//apple_ref/doc/navigation/ – l'L'l Nov 06 '16 at 17:04
  • It is indeed a self-signed root certificate - is this not standard? Do self-signed certificates normally have signed roots? http://imgur.com/a/tHSp0 – Craig Otis Nov 06 '16 at 17:07
  • That is standard for a self-signed cert, although you need to specify the trust settings on it to allow it to be used. (ie."Trust" > "When using this certificate" dropdown menu > "Always Trust" > "Item"). When you do that you should have a blue (+) instead of a ⚠️... – l'L'l Nov 06 '16 at 17:12
  • @l'L'l Where do you see those settings? – Craig Otis Nov 06 '16 at 18:32
  • In iOS it's "Settings" > "About" > "Certificate Trust Settings". In OS X it's available from Keychain Access by clicking on the cert. If you don't see the option then you likely need to recreate the cert and select allow custom/override default settings. – l'L'l Nov 06 '16 at 18:46
  • Did you try http://stackoverflow.com/a/22674004/5276890? I seem to recall implementing it at some point to connect to self signed dev servers. I implemented the NSURLConnection one and of course you'll need to port to swift. But it should work unless they changed the rules. – Roy Falk Nov 06 '16 at 19:07

0 Answers0