SSL issues and how to debug iOS App for Alfresco

Some days ago we faced a problem connecting from Alfresco iOS App (aka Alfresco Content Services App) to an HTTPs server.

When using the App from a device, checking server connection step was failing.

As there was no clue at HTTP server, we decided to debug the application from Xcode.

The source code is available at https://github.com/Alfresco/alfresco-ios-app but no documentation for newbies is available, so Bhagyas assisted me at Alfresco IRC to configure the environment. He wrote a wonderful shell script to help with this configuration task at Loftux Github.

Once we were able to debug by using a Simulator, we identified the real error.

2017-12-09 09:42:39.451818+0100 AlfrescoApp[4530:53914] DEBUG (null) Network reachable: YES
2017-12-09 09:42:39.457163+0100 AlfrescoApp[4530:53914] DEBUG (null) Network reachable: YES
2017-12-09 09:42:39.461917+0100 AlfrescoApp[4530:53914] DEBUG [AlfrescoDefaultHTTPRequest connectWithURL:method:session:requestBody:outputStream:completionBlock:] GET https://server:443/alfresco/service/api/server
2017-12-09 09:42:39.695423+0100 AlfrescoApp[4530:83456] TIC Read Status [16:0x600000171f40]: 1:54
2017-12-09 09:42:41.668687+0100 AlfrescoApp[4530:83456] TIC Read Status [17:0x600000173140]: 1:54
2017-12-09 09:42:41.875522+0100 AlfrescoApp[4530:68601] TIC Read Status [18:0x600000173c80]: 1:54
2017-12-09 09:42:41.876473+0100 AlfrescoApp[4530:68601] Task <B9FE693B-AB59-4D26-AA6F-644D67A977E2>.<1> HTTP load failed (error code: -1005 [4:-4])
2017-12-09 09:42:41.876724+0100 AlfrescoApp[4530:83005] Task <B9FE693B-AB59-4D26-AA6F-644D67A977E2>.<1> finished with error - code: -1005
2017-12-09 09:42:41.879106+0100 AlfrescoApp[4530:53914] ERROR [AlfrescoRepositorySession authenticateWithUsername:andPassword:completionBlock:] Server info retrieval failed: The network connection was lost.

Extracted from Apple official documentation at https://developer.apple.com/library/content/qa/qa1941/_index.html:

A: NSURLErrorNetworkConnectionLost is error -1005 in the NSURLErrorDomain error domain, and is displayed to users as “The network connection was lost”. This error means that the underlying TCP connection that’s carrying the HTTP request disconnected while the HTTP request was in progress.

So, the device was shutting down the connection for some reason. And that reason should be related with HTTPs, as we tested that the application was running in plain HTTP.

From reading iOS 11 Security Guide,  we extracted relevant requirements:

  • iOS supports Transport Layer Security (TLS v1.0, TLS v1.1, and TLS v1.2, which supports both AES 128 and SHA-2) and DTLS.
  • The RC4 symmetric cipher suite is deprecated in iOS 10 and macOS Sierra.
  • Servers must support TLS 1.2 and forward secrecy, and certificates must be valid and signed using SHA-256 or better with a minimum 2048-bit RSA key or 256-bit elliptic curve key.
  • By default, App Transport Security limits cipher selection to include only suites that provide forward secrecy, specifically ECDHE_ECDSA_AES and ECDHE_RSA_AES in GCM or CBC mode. Apps are able to disable the forward secrecy requirement per-domain, in which case RSA_AES is added to the set of available ciphers.
  • Network connections that don’t meet these requirements will fail, unless the app overrides App Transport Security

We checked configured HTTPs features in our server…

The connection to this site uses TLS 1.2 (a strong protocol), RSA (an obsolete key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher).

… we changed them to fulfil Apple requirements …

The connection to this site uses TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_256_CBC with HMAC-SHA1 (an obsolete cipher).

… and Alfresco iOS App started to work with HTTPs!

It’s always great to work with Open Source & Alfresco, as you have the chance to identify and solve every problem!

Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión /  Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión /  Cambiar )

w

Conectando a %s