9

Can someone tell me why I'm getting below connection errors? I'm able to hit the API URL via the browser but when my app is trying to make a connection, errors comes up. Is it my network? Do I need some kind of certificate on my machine?

enter image description here

finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."

Improve this question
2
  • show your ATS configuration. Commented Mar 29, 2020 at 11:00
  • @Gereon, see below: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>openweathermap.org</key> <dict> <key>NSExceptionAllowsInsecureHTTPLoads</key> <true/> <key>NSIncludesSubdomains</key> <true/> </dict> </dict> </dict> Commented Mar 30, 2020 at 0:16

2 Answers 2

Reset to default
16

I finally got this issue fixed following below steps:

#1. Install Zscaler Root CA on iOS simulator and enable full trust

a. Export Zscaler root CA from my MAC Keychain

b. Drag and drop exported cert on to my Xcode build in iPhone simulator (this will initiate installation)

c. Go to (within the simulator) General Settings -> About -> Certificate Trust Settings and enable full trust for Zscaler Root CA.

#2. Add NSAllowsArbitraryLoads within the Xcode Project

a. Add additional key into Project's info.plist config file

<key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> </dict>

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks you, Had a slightly different error, and same root cause: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert i: Zscaler Intermediate Root CA (zscalerthree.net) (t) >",...
Step #2 (adding NSAllowsArbitraryLoads) is not necessary to deal with the Zscaler Root CA issue -- Step #1 (installing the root certificate on the Simulator) is enough.
5

The trace shows that the connection to openweathermap.org is passed through the ZScaler security proxy which replaces the root CA in order to intercept and analyze the traffic. Since this root CA is not trusted by your app for this site the connection fails. For more information see Public Key Pinning (PKP) and Zscaler.

Improve this answer

8 Comments

Hi Steffen. I checked out link you have provided but I still don't know how to fix this problem. It is the settings on my Mac I need to adjust to bypass proxy setting? It is the Xcode where the errors copes up.. And also.. I'm guessing I need to have Admin rights on machine to fix it? I would really appreciate your help - I'm completely useless with network stuff.
FYI - I've also tried to update Project's info.plist file to include NSAppTransportSecurity > NSExceptionAllowsInsecureHTTPLoads but still same issue :(
@marika.daboja: Unfortunately there is practically nothing known about your application. But the problem is that it will return an unexpected certificate with HTTPS which means that NSExceptionAllowsInsecureHTTPLoads will not help since it means that plain HTTP will be allowed but says nothing about HTTPS. Depending on your application you need to either import the ZScaler CA as trusted in the phone (might be done already) and to disable certificate pinning. There is no "bypass proxy setting" but instead you have to properly deal with the SSL intercepting proxy (i.e. trust it).
Steffen, to give you some background: this is simple weather app which allows user to type location ie. London, and app will then display current temperature ie. 21'C which is a data fetched from OpenWeatherMap.org API. I have implemented API URL let weatherURL = "https://api.openweathermap.org/data/2.5/weather?appid={id}&units=metric" and then I added function to append this URL with Location typed by the user.
@marika.daboja: Again, "bypass" is no way but you have to properly deal with the interception. This means removing the ZScaler Root CA would exactly the wrong way to do since it will only cause even more application and your browser to fail. Instead you likely need to install the ZScaler Root CA into your simulator - see developer.apple.com/library/archive/qa/qa1948/_index.html. And again, I don't know enough about your application to understand if this is really sufficient. If you have certificate pinning then this will not be enough.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.