How to Disable SSL Evaluation for self signed certificates

[stephen-talari]

My API ssl is using self signed certificate. When i call authorize() it throws "An SSL error has occurred and a secure connection to the server cannot be made".

How can i bypass certificate verification for self signed certificates ?

In cURL, it works with --insecure

[p2]

It's not well documented but you can use OAuth2DebugURLSessionDelegate for this:

self.oauth = OAuth2...(settings: [:])
oauth.sessionDelegate = OAuth2DebugURLSessionDelegate(host: "domain.com")
oauth.authorize() { params, error in
    // ...
}

[stephen-talari]

Tried with localhost/IP, resulted with same error.

Reason for using self signed is, our app is built on top of local machine (Wifi Controller). Private IP's are not issued SSL's from any CA. (so we must always use self signed)

When i print params in authorize(), it is nil always. Is there any thing wrong with this?

[p2]

params is expected to be nil when authorization doesn't succeed – it would contain authorization parameters.

Can you try to debug, set a breakpoint in OAuth2DebugURLSessionDelegate#42? Which version are you running, latest master?

[stephen-talari]

I am using p2.OAuth2 (2.3.0), breakpoint is not triggered

[p2]

Set a break point at OAuth2Base.swift#220 to check whether the session is correctly initiated.

[stephen-talari]

breakpoint at if nil == _session, does it mean my session isn't properly initiated.

[p2]

When you step through, does it create a new session (line 222) and does it use your sessionDelegate on that same line?

[p2]

I just tried with the 2.3 version, the breakpoint should be set in OAuth2Request.swift#71. It breaks for me, so this should work. I'm not sure if the IP-based thing works, though, maybe it must be a domain name, but it should still break on line 71.

[stephen-talari]

OAuth2Base.swift#L224

It did not break for me on line 71

[p2]

Did you get this to work?

[stephen-talari]

Yes, it did work by creating a Manager with DisableEvaluation policy.

[p2]

Great, thanks for the code example!

[aliasdoc]

Hi, I have the same problem using a self signed certificate, OAuth2DebugURLSessionDelegate() not work, my code:

client!.sessionDelegate = OAuth2DebugURLSessionDelegate(host: "xxx.dev")
        client!.authorize() { authParameters, error in
            if let params = authParameters {
                print("Authorized! Access token is in `oauth2.accessToken`")
                print("Authorized! Additional parameters: \(params)")
            }
            else {
                print("Authorization was cancelled or went wrong: \(error)")   // error will not be nil
            }
        }

And log:

[Debug] OAuth2: Requesting new access token from https://xxx.dev/oauth/token
2017-01-08 17:49:55.025 ParkIn-v2[31429:9582746] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
[Debug] OAuth2: Error obtaining access token: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x600000251a90 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://xxx.dev/oauth/token, NSErrorFailingURLStringKey=https://xxx.dev/oauth/token, _kCFStreamErrorDomainKey=3}
[Debug] OAuth2: An SSL error has occurred and a secure connection to the server cannot be made.
Authorization was cancelled or went wrong: Optional(An SSL error has occurred and a secure connection to the server cannot be made.)

Any idea ? Thanks.

[p2]

Are the breakpoints mentioned above being called?

[aliasdoc]

Hi @p2 , no it's the same situation, I'm also trying with custom manager but no effect. I thinks the problem is with ATS but I have no solution. I'm using a self-signed certificate generated by MAMP and another generated manually with no effect.

[p2]

Which version of the OAuth2 framework are you using, and how (Pod, Carthage, source)?

[aliasdoc]

I'm using p2.OAuth2 (3.0.1) (Podfile.lock), my Podfile: pod 'p2.OAuth2', '~> 3.0', thanks you. For more information, this is my ATS settings:

<key>NSAppTransportSecurity</key>
	<dict>
		<key>NSAllowsArbitraryLoads</key>
		<true/>
		<key>NSExceptionDomains</key>
		<dict>
			<key>xxx.dev</key> <-- which is my local domain (served by mamp pro)
			<dict>
				<key>NSExceptionAllowsInsecureHTTPLoads</key>
				<true/>
				<key>NSExceptionRequiresForwardSecrecy</key>
				<false/>
				<key>NSIncludesSubdomains</key>
				<true/>
			</dict>
		</dict>
	</dict>

[p2]

@aliasdoc Were you able to resolve this issue? If not, do you have a public-facing server with the self-signed certificate so I can test with?

[jupl]

I have been attempting to do this with OAuth2DataLoader with ATS and OAuth2DebugURLSessionDelegate only to be greeted with the error:

"The certificate for this server is invalid. You might be connecting to a server that is pretending to be "https://*******************" which could put your confidential information at risk."

I don't have control over the server I'm trying to access. (it's internal work stuff) I'll probably try using Alamofire and see if I can get it to work as someone got success with it above.

[p2]

Are you on latest master or using CocoaPods? Try latest master as it contains a change to this, which is not yet podded.

[p2]

This is now in the latest Pod.

[aliasdoc]

Just FYI, to use OAuth2DebugURLSessionDelegate() with self-signed certificate, you need to set your ATS like this:

<key>NSAppTransportSecurity</key>
<dict>
	<key>NSAllowsArbitraryLoads</key>
	<true/>
</dict>

And only THIS, if you specify some other keys, sessionDelegate are not fired.

[shashank109]

Hi.... I am also facing same issue. can someone pls help me out of this?Here is my code-

            let oauth2 = OAuth2CodeGrant(settings: [
                "client_id": "codeclient",
                "client_secret": "secret",
                "authorize_uri": "https:local-host/4532/core/connect/authorize",
                "token_uri": "https://local-host/4532/core/connect/token",   // code grant only
                "redirect_uris": ["https://localhost:3000/account/oauth2"],   // register your own "myapp" scheme in Info.plist
                "scope": "openid profile email role offline_access read write",
                "secret_in_body": true,    // Github needs this
                "keychain": false,         // if you DON'T want keychain integration
                ] as OAuth2JSON)

            let base = URL(string: "https://local-host1/4532/core/.well-known/openid-configuration")!

            oauth2.sessionDelegate = OAuth2DebugURLSessionDelegate(host: "local-host")
            var req = oauth2.request(forURL: base)
            
            req.setValue("application/vnd.github.v3+json", forHTTPHeaderField: "Accept")
            let oauthloader: OAuth2DataLoader
            oauthloader = OAuth2DataLoader(oauth2: oauth2)
            oauthloader.perform(request: req) { response in
                do {
                    let dict = try response.responseJSON()
                    DispatchQueue.main.async {
                        // you have received `dict` JSON data!
                    }
                }
                catch let error {
                    DispatchQueue.main.async {
                        // an error occurred
                    }
                }
            }

[musaurabh]

Adding a self generated trusted root certificate doesn't work. What's the best way here? To bypass the check or make a ssl cert trusted?