SSL error in Cordova on iOS9

rericsson · January 16, 2016, 4:21pm

Hi,

I was able to issue a Let’s Encrypt certificate for use on my test SAP Mobile Platform server. The issuance process and install went well. SMP is based on Tomcat, so I converted the .pem files to a .p12 and I’m able to connect to the administrative screens and web apps from a browser (Safari or Chrome) using SSL without any problems.

However, I get an SSL error when trying to use it on the iOS Simulator to connect to the server. Details of the error are below. Most perplexing is that I can connect to SSL pages on SMP from the Simulator using the mobile Safari browser and it works fine. I have tried installing the Let’s Encrypt .cer on the Simulator and it doesn’t make a difference.

Any ideas on getting Cordova to work with a Let’s Encrypt certificate?

Thanks.
Rob

Jan 16 10:17:34 Roberts-MacBook-Pro LogonDemo[47013]: SMP_AUTH_PROXY ERROR connection:didFailWithError:, Error Domain=NSURLErrorDomain Code=-1200 “An SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x7914c050 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 “An SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x78e9bc90>, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerCertificates=<CFArray 0x78fbecc0 [0xb73098]>{type = immutable, count = 1, values = (
0 : <cert(0x78e9e9a0) s: centos02.internal.l10systems.com i: Let’s Encrypt Authority X1>
)}, NSErrorFailingURLStringKey=https://centos02.internal.l10systems.com:8081/odata/applications/latest/com.mycompany.logon/Connections, NSErrorFailingURLKey=https://centos02.internal.l10systems.com:8081/odata/applications/latest/com.mycompany.logon/Connections}}, _kCFStreamErrorCodeKey=-9802, NSErrorFailingURLStringKey=https://centos02.internal.l10systems.com:8081/odata/applications/latest/com.mycompany.logon/Connections, NSErrorPeerCertificateChainKey=<CFArray 0x78fbecc0 [0xb73098]>{type = immutable, count = 1, values = (
0 : <cert(0x78e9e9a0) s: centos02.internal.l10systems.com i: Let’s Encrypt Authority X1>
)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x78e9bc90>, NSErrorFailingURLKey=https://centos02.internal.l10systems.com:8081/odata/applications/latest/com.mycompany.logon/Connections}

selecadm · January 16, 2016, 4:52pm

You should probably check whether your server supports at least one of the following cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

Also:
https://sslanalyzer.comodoca.com/?url=centos02.internal.l10systems.com%3A8081

Error -14: This protocol does not use SSL/TLS

rericsson · January 16, 2016, 5:25pm

Thanks the quick response. SMP doesn’t use the standard SSL ports (443), so I found a different SSL checker that supports alternate ports (http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=https%3A%2F%2Fcentos02.internal.l10systems.com%3A8083) and it seems OK but doesn’t specifically list the cipher suites supported. I’ll double-check those.

rericsson · January 16, 2016, 5:30pm

I found that Wormly does test for the ciphers used (https://www.wormly.com/test_ssl/h/centos02.internal.l10systems.com/i/98.163.16.213/p/8083) and I don’t see any of the ciphers in the list. I’ll check the config. Thanks.

selecadm · January 16, 2016, 5:54pm

https://www.wormly.com/test_ssl/h/centos02.internal.l10systems.com/i/98.163.16.213/p/8083

It mentions ECDHE-RSA-AES128-SHA which is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013), but if your server supports only the cipher suites ending with just SHA and not SHA + numbers, you should ensure your server supports TLS 1.2. It currently shows only SSL3 and TLS 1.0.

rericsson · January 16, 2016, 9:11pm

SMP supports TLS 1.2. I’ll see if I can enable some of the other ciphers to be sure. The part that really is throwing me off is that navigating directly using the browser works fine but the Cordova client is not happy. That makes no sense to me. I can turn ATS off in Cordova so I’m going to try that and see if I can track the problem down. Thanks for your help.