Certificate Invalid Issue with Alamofire 4.0

ios ssl swift3 alamofire
12,398

I modified my code like below and it worked. I referred Swift: How to Make Https Request Using Server SSL Certificate for fixing this issue.

       class LoginService{
             private static var Manager: Alamofire.SessionManager = {
           
                  // Create the server trust policies
                  let serverTrustPolicies: [String: ServerTrustPolicy] = [
                      
                       "devportal:8443": .disableEvaluation
                  ]
        
                  // Create custom manager
                  let configuration = URLSessionConfiguration.default
                  configuration.httpAdditionalHeaders = Alamofire.SessionManager.defaultHTTPHeaders
                  let manager = Alamofire.SessionManager(
                       configuration: URLSessionConfiguration.default,
                       serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
                  )
        
                  return manager
             }()
        
        
        
             /**
              Calls the Login Web Service to authenticate the user
              */
             public func login(username:String, password: String){
    
    // Handle Authentication challenge
        
          let delegate: Alamofire.SessionDelegate = LoginService.Manager.delegate
         delegate.sessionDidReceiveChallenge = { session, challenge in
              var disposition: URLSession.AuthChallengeDisposition = .performDefaultHandling
              var credential: URLCredential?
              if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
                   disposition = URLSession.AuthChallengeDisposition.useCredential
                   credential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
              } else {
                   if challenge.previousFailureCount > 0 {
                        disposition = .cancelAuthenticationChallenge
                   } else {
                        credential = LoginService.Manager.session.configuration.urlCredentialStorage?.defaultCredential(for: challenge.protectionSpace)
                        if credential != nil {
                             disposition = .useCredential
                        }
                   }
              }
              return (disposition, credential)
         }
    
//Web service Request    
                  let parameters = [
                       "username": "TEST",
                       "password": "PASSWORD",
                          ]
                  let header: HTTPHeaders = ["Accept": "application/json"]
                  LoginService.Manager.request("https://devportal:8443/rest/login", method: .post, parameters: parameters, encoding: JSONEncoding(options: []),headers :header).responseJSON { response in
                       debugPrint(response)
        
                       if let json = response.result.value {
                            print("JSON: \(json)")
                       }
                  }
        
        
        
             }
        }

You should also configure your plist as below

 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>devportal</key>
        <dict>
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
    <key>NSAllowsArbitraryLoads</key>
    <false/>
</dict>
</plist>

Do not enter IP or port numbers in your NSExceptiondomains. It won't work. If you are trying to connect to a web server with IP address, map the IP address to a domain by adding a host entry in etc/hosts file in your mac and then use the domain name in NSExceptionDomains

IMPORTANT: Do not use this code in production as this puts your users information at risk, by bypassing auth challenge.

Share:
12,398
CrazyDeveloper
Author by

CrazyDeveloper

Updated on June 14, 2022

Comments

  • CrazyDeveloper
    CrazyDeveloper almost 2 years

    I am trying to consume web services for my iOS app over https. The web server uses a self signed certificate.

    When consuming the web service, I get the error “certificate is Invalid”.

    FAILURE: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “portal” which could put your confidential information at risk."

    I know the best practise is to fix this at the server side to enable a trusted root CA. But as this is a temporary development environment, we are using a self signed certificate. Since this is ATS issue, I have edited ATS in my info.plist as below.

     <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>devportal</key>
        <dict>
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
    <key>NSAllowsArbitraryLoads</key>
    <false/>
</dict>
</plist>

    As the NSException domains doesn’t work with IP and port number, I have created a host entry in my etc/hosts file for the web server IP and consuming it like https://devportal:8443/rest/login instead of consuming it as https://192.22.xx.xxx:8443/rest/login

    I have followed alamofire documentation on server trust policies, edited ATS to allow exception domains but nothing worked out for me. I have spent over 3 days on this issue. Am I missing something? Does anybody faced a similar issue? Is there any solution for this? Thanks in advance

    I am using almofire 4.0, Xcode 8.0. Below is my code.

    class LoginService{
     private static var Manager: Alamofire.SessionManager = {

          let pathToCert = Bundle.main.path(forResource: "192.22.xx.xxx", ofType: "crt") // Downloaded this certificate and have added to my bundle
          let localCertificate:NSData = NSData(contentsOfFile: pathToCert!)!

          // Create the server trust policies
          let serverTrustPolicies: [String: ServerTrustPolicy] = [
               "192.22.xx.xxx": .pinCertificates(
                    certificates: [SecCertificateCreateWithData(nil, localCertificate)!],
                    validateCertificateChain: true,
                    validateHost: true
               ),

               "devportal:8443": .disableEvaluation
          ]

          // Create custom manager
          let configuration = URLSessionConfiguration.default
          configuration.httpAdditionalHeaders = Alamofire.SessionManager.defaultHTTPHeaders
          let manager = Alamofire.SessionManager(
               configuration: URLSessionConfiguration.default,
               serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
          )

          return manager
     }()



     /**
      Calls the Login Web Service to authenticate the user
      */
     public func login(username:String, password: String){

          let parameters = [
               "username": "TEST",
               "password": "PASSWORD",
                  ]
          let header: HTTPHeaders = ["Accept": "application/json"]
          LoginService.Manager.request("https://devportal:8443/rest/login", method: .post, parameters: parameters, encoding: JSONEncoding(options: []),headers :header).responseJSON { response in
               debugPrint(response)

               if let json = response.result.value {
                    print("JSON: \(json)")
               }
          }



     }
}
  • PeqNP
    PeqNP almost 5 years
    Beautiful! I didn't need to update my plist. Instead I generated a root CA, created leaf certs, generated pems, installed root cert on device, etc. with the instructions provided by Apple at: developer.apple.com/library/archive/qa/qa1948/_index.html. Thank you!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Alamofire 4 Swift 3 ParameterEncoding Custom
Could not cast value of type '__NSArrayI' (0x10df73c08) to 'NSDictionary' (0x10df74108)
certificate for this server is invalid
How do I download a file in Alamofire 4 and save to the Documents directory?
How to pass access token to Alamofire?
Alamofire 4.0 Upload MultipartFormData Header
POST request with data in body with Alamofire 4
Cancel a request Alamofire
Download File Using Alamofire 4.0 (Swift 3)
Swift 3 Alamofire multipart upload