Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Handshake failure for production certificate. #8

Closed
BalintDezso opened this issue Mar 21, 2014 · 18 comments
Closed

SSL Handshake failure for production certificate. #8

BalintDezso opened this issue Mar 21, 2014 · 18 comments

Comments

@BalintDezso
Copy link

Hi, am using your test app for IOS trying to get push notifications to work. I have included the correct p12 file and password. But when I try to connect it gives me the error: Unable to connect: Unable to perform SSL handshake

Weird thing is I also tried on the Mac app and it works just perfect on there so am thinking it isn't my certificate. Any clues to why this is failing?
@leovandriel
Copy link
Contributor

Hi. There's a number of reasons why the handshake could fail. Could you take a look in NWSSLConnection.m around line 89 (switch (status) {) and tell me the value of status after it fails? Thanks.

@BalintDezso
Copy link
Author

-9829. Thank you for a quick response.

@leovandriel
Copy link
Contributor

This indicates an unknown certificate (errSSLPeerCertUnknown in SecureTransport.h). Are you using the exact same certificate when running the Mac app?

@BalintDezso
Copy link
Author

Yes 100%.

@BalintDezso
Copy link
Author

What do you suggest in such a situation?

@leovandriel
Copy link
Contributor

Since the iOS and Mac app use the same code, I suspect it's either the certificate and private key (identity) or the connection to Apple. Here I assume you're using the master branch, unmodified except for the p12 file, password and device token in PusherTouch. Is that right?

Next... make sure the p12 contains the correct certificate and private key (e.g. Apple Development IOS Push Sevices: com.example). Try running both in iOS simulator and on a device. Make sure there's no proxies, same Wifi. Maybe try it on a 3/4G connection.

Let me know.

@leovandriel
Copy link
Contributor

I just pushed (master) some code that might help with comparing the identities you're using. I added:

+ (NSDictionary *)inspectIdentity:(SecIdentityRef)identity

to NWSecTools.m, which returns basic info on the certificate and private key inside the identity. You can for example add a log statement to the connection code to compare the identities you use on mac and ios (NWPusher.m:46):

- (NWPusherResult)connectWithIdentityRef:(SecIdentityRef)identity
{
    NSLog(@"inspect identitiy: %@", [NWSecTools inspectIdentity:identity]);
    SecCertificateRef certificate = ...

In particular make sure there are no errors there (certificate_error or key_error) and that both cert_data are identical.

@BalintDezso
Copy link
Author

Thank you! That last thing really helped. So the p12 contains both an iPhone Distribution certificate and also the Push Service certificate and the library reads out the iPhone Distribution certificate instead of the Push Service on. Would there be a fix for something like this?

@leovandriel
Copy link
Contributor

Ah, nice one! That's indeed a bug. I will take a look at it this weekend.

In the mean time either export only the push cert (see explanation in README.md) or alter NWSecTools:73:

    CFDictionaryRef dict = CFArrayGetValueAtIndex(items, 0);

I'll keep you posted.

@leovandriel
Copy link
Contributor

For now I added (commit 8e0fe92) a check on the number of certificates in the PKCS #12 data. That will at least provide some textual feedback when multiple certificates are present.

@BalintDezso
Copy link
Author

Looking at it again and the SecPKCS12Import only imports 1 item into the array which is the Distribution Certificate. Any idea why it does this when 100% the p12 file contains 2 certificates?

@leovandriel
Copy link
Contributor

I assume there is only one certificate present, it's by design. This way, we don't need to first see what is in the p12 file before we can connect.

So NWPusher now has a method:

- (NWPusherResult)connectWithPKCS12Data:(NSData *)data password:(NSString *)password

which takes the (first) identity from the data and sets up the SSL connection with Apple. To support multiple identities, you need:

+ (NWPusherResult)identitiesWithPKCS12Data:(NSData *)pkcs12 password:(NSString *)password identities:(NSArray **)identities

and then call:

- (NWPusherResult)connectWithIdentityRef:(SecIdentityRef)identity

So +identitiesWithPKCS12Data:password:identities: is all you need, right?

@BalintDezso
Copy link
Author

Yes sir.

@leovandriel
Copy link
Contributor

Hi, Bman900. Support for multiple identities is available in the 0.4.0 tag. There's a lot of API changes in there too, so you might need to resolve some deprecation warnings. If that's not what you are looking for, then you can also try the 0.3.5 tag, which also provides the method we discussed.

Let me know whether this solves the issue.

@BalintDezso
Copy link
Author

Yes it did. Thanks a million!

@leovandriel
Copy link
Contributor

Great! Just out of curiosity (and a bit off topic), is there any specific reason you want to send pushes from iOS? I added iOS support only for 'theoretical' reasons, and did not yet find any good practical applications for it.

@BalintDezso
Copy link
Author

Ah this decision was complicated but it came down to Android not playing well with Parse and iOS just following suit and skipping the middle man.

@leovandriel
Copy link
Contributor

I see, thanks for reporting.

@leovandriel leovandriel mentioned this issue Sep 19, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leovandriel @BalintDezso