iOS - SSL Handshake - Client Certificate - NSURLSession - NSURLErrorDomain Code=-1200 - Wrong chain

Question

I am trying to invoke a webservice using an iPhone with Objective C and I am having the following error:

error -->Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x600000243690 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://./, NSErrorFailingURLStringKey=https://./, _kCFStreamErrorDomainKey=3}

Info.plist Configuration

<dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

Information about the server:

TLS 1.2
Client Certificate Authentication Requirement ON
Ciphers list:

• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA

Note: After adding a charles proxy managing the client certificate in the middle of the client (iOS) and the server, the request was completed with success. Therefore I can conclude the client certificate I am using is valid.

Any advice how I can tackle this problem or any clue which configuration am I doing wrong?

My guess is regarding the client certificate configuration because I am already using the exact same configuration with a similar service (ssl layer/server ciphers) that doesn’t have the requirement of a Client Certificate authentication.

Used Code:

- (void)callWebService:(NSString *)urlStr
             operation:(NSString *)operation
                  body:(NSString *)body
              resolver:(RCTPromiseResolveBlock)resolve
              rejecter:(RCTPromiseRejectBlock)reject {

  NSLog(@"Starting callWebservice");

  NSURL *url = [NSURL URLWithString:urlStr];
  NSMutableURLRequest *theRequest = [NSMutableURLRequest requestWithURL:url];
  NSString *msgLength = [NSString stringWithFormat:@"%lu", (unsigned long) [body length]];

  [theRequest addValue:@"text/xml; charset=utf-8" forHTTPHeaderField:@"Content-Type"];
  [theRequest addValue:msgLength forHTTPHeaderField:@"Content-Length"];
  [theRequest addValue:operation forHTTPHeaderField:@"SOAPAction"];
  [theRequest addValue:@"iOS" forHTTPHeaderField:@"User-Agent"];
  [theRequest setHTTPMethod:@"POST"];
  [theRequest setHTTPBody:[body dataUsingEncoding:NSUTF8StringEncoding]];

  NSURLSessionConfiguration *defaultConfigObject = [NSURLSessionConfiguration defaultSessionConfiguration];
  NSURLSession *session = [NSURLSession sessionWithConfiguration: defaultConfigObject
                                                        delegate: self
                                                   delegateQueue: [NSOperationQueue mainQueue]];


  NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:theRequest
                                              completionHandler:^(NSData *responseData, NSURLResponse *response, NSError *error)
                                    {
                                      NSLog(@"Completed request");

                                      if (error != nil) {
                                        NSLog(@"error -->%@", error);
                                        reject(@"Auth error", @"There were authentication errors", error);
                                      } else {
                                        NSString *responseStr = [[NSString alloc] initWithData:responseData encoding:NSUTF8StringEncoding];
                                        NSLog(@"-->%@", responseStr);
                                        resolve(responseStr);
                                      }


                                    }];
  [dataTask resume];

}

- (void)URLSession:(NSURLSession *)session
              task:(NSURLSessionTask *)task
didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
 completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
{
  NSLog(@"didReceiveChallenge: %@", challenge.protectionSpace.authenticationMethod);

  if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodClientCertificate]) {

    NSLog(@"challenged for client certificate");

      NSString *sslCertName = @"certificate_name";
      NSString *path2 = [[NSBundle mainBundle] pathForResource:sslCertName ofType:@"p12"];
      NSData *p12data = [NSData dataWithContentsOfFile:path2];

      CFDataRef inP12data = (__bridge CFDataRef) p12data;

      SecIdentityRef myIdentity;
      SecTrustRef myTrust;

      extractIdentityAndTrust(inP12data, &myIdentity, &myTrust);

      SecCertificateRef myCertificate;
      SecIdentityCopyCertificate(myIdentity, &myCertificate);
      const void *certs[] = {myCertificate};
      CFArrayRef certsArray = CFArrayCreate(NULL, certs, 1, NULL);

      CFRelease(myCertificate);

      secureCredential = [NSURLCredential credentialWithIdentity:myIdentity
                                                    certificates:(__bridge NSArray *) certsArray
                                                     persistence:NSURLCredentialPersistencePermanent];

    CFRelease(certsArray);

    [[challenge sender] useCredential:secureCredential forAuthenticationChallenge:challenge];

    completionHandler(NSURLSessionAuthChallengeUseCredential, secureCredential);
  }

  else if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {

    NSLog(@"challenged for server trust");

    [challenge.sender useCredential:[NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust]
         forAuthenticationChallenge: challenge];

    completionHandler(NSURLSessionAuthChallengeUseCredential,
                      [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
  } else {

    NSLog(@"other challenge");

    if ([challenge previousFailureCount] == 0) {

      [[challenge sender] continueWithoutCredentialForAuthenticationChallenge:challenge];

    } else {

      [[challenge sender] continueWithoutCredentialForAuthenticationChallenge:challenge];
      completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge,nil);
    }

  }
}


OSStatus extractIdentityAndTrust(CFDataRef inP12data, SecIdentityRef *identity, SecTrustRef *trust)
{
  OSStatus securityError = errSecSuccess;

  CFStringRef password = CFSTR("certificate_password");
  const void *keys[] = { kSecImportExportPassphrase };
  const void *values[] = { password };

  CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);

  CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);

  securityError = SecPKCS12Import(inP12data, options, &items);

  if (securityError == 0) {
    CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex(items, 0);
    const void *tempIdentity = NULL;
    tempIdentity = CFDictionaryGetValue(myIdentityAndTrust, kSecImportItemIdentity);
    *identity = (SecIdentityRef)tempIdentity;
    const void *tempTrust = NULL;
    tempTrust = CFDictionaryGetValue(myIdentityAndTrust, kSecImportItemTrust);
    *trust = (SecTrustRef)tempTrust;
  }

  if (options) {
    CFRelease(options);
  }

  return securityError;
}

EDIT WITH EXTRA INFORMATION

After some wireshark investigation it seems the iOS is sending the client certificate twice and the server closes the connections.

Tried the solution specified here: http://oso.com.pl/?p=207&lang=en but it breaks all my code

Answer 1

Solution for now

After comparing the wireshark packets between a succesfull request (android) and the iOS failing request, I noticed the iOS was sending the client certificate alone while the Android and Charles Proxy were sending the client certificate full chain.

I am still investigating which is the reason the full chain isn't sent on iOS. Maybe because it doesn't trust the intermediate and root certificate that signed the client certificate?

Anyway I managed to get the SSL handshake to work on iOS by hammering the sent chain with the following code:

  NSString *sslCertName = @"teste_webservices";
  NSString *path2 = [[NSBundle mainBundle] pathForResource:sslCertName ofType:@"p12"];
  NSData *p12data = [NSData dataWithContentsOfFile:path2];

  CFDataRef inP12data = (__bridge CFDataRef) p12data;

  SecIdentityRef myIdentity;
  SecTrustRef myTrust;

  extractIdentityAndTrust(inP12data, &myIdentity, &myTrust);


  NSData *ca1CertData = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"ca1" ofType:@"cer"]];
  SecCertificateRef ca1CertRef = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef) ca1CertData);
  NSData *rootCertData = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"rootCa" ofType:@"cer"]];
  SecCertificateRef rootCertRef = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef) rootCertData);


  SecCertificateRef myCertificate;
  SecIdentityCopyCertificate(myIdentity, &myCertificate);
  const void *certs[] = {ca1CertRef, rootCertRef};

  CFArrayRef certsArray = CFArrayCreate(NULL, certs, 2, NULL);

  CFRelease(myCertificate);

  secureCredential = [NSURLCredential credentialWithIdentity:myIdentity
                                                certificates:(__bridge NSArray *) certsArray
                                                 persistence:NSURLCredentialPersistencePermanent];