Invalid SSL certificate!

[AlexTiehuis]

I try to use nativescript-https for certificate pinning. Unfortunately to no effect. I downloaded the .cer file as a "DER Encoded Binary X.509 (CER)" file and as a "Base64 encoded X.509 (*.cer)" but keep getting the log message "Invalid SSL certificate!".

I use following code:

import { knownFolders, Folder, File } from "tns-core-modules/file-system";
import * as Https from 'nativescript-https'
let dir = knownFolders.currentApp().getFolder('certs');
let certificate = dir.getFile('mydomain.nl.cer').path;
Https.enableSSLPinning({ host: 'mydomain.nl', certificate: certificate });

Https.request({
  url: 'https://mysubdomain.mydomain.nl/',
  method: 'GET',
  timeout: 3 
})
  .then((response: any) => {
    console.log("request response: ", { response });
  })
  .catch((error) => {
    console.log("request error: ", { error });
  });

(I tried host 'mysubdomain.mydomain.nl' and '*.mydomain.nl' as well, all to no effect.) The request runs into the .then() branch with an "Invalid SSL certificate!" message.

So I installed the demo application. Unfortunately the demo give the same results. After [npm run demo.ios] from the [src] directory, I did following: 1) press the [Httpbin pinning on] button 2) press the [Get Httpbin] button 3) press the [Get Httpbin (large response] button 4) press the [Get Mockbin] button

All [get] buttons lead to "Invalid SSL certificate!" log messages.

What am I missing or doing wrong?

CONSOLE INFO file:///app/Users/Alex/nativescript/demos/nativescript-https/src/https.ts:40:13: nativescript-https > Disabled SSL pinning by default
CONSOLE LOG file:///app/Users/Alex/nativescript/demos/nativescript-https/src/https.ts:37:14: nativescript-https > Disabled SSL pinning
CONSOLE LOG file:///app/main-page.ts:73:14: disabled
CONSOLE LOG file:///app/Users/Alex/nativescript/demos/nativescript-https/src/https.ts:32:14: nativescript-https > Enabled SSL pinning
CONSOLE LOG file:///app/main-page.ts:61:14: enabled
CONSOLE LOG Https.request response {
"content": {
"body": "",
"description": "nativescript-https > Invalid SSL certificate! Error Domain=NSURLErrorDomain Code=-999 \"cancelled\" UserInfo={NSErrorFailingURLStringKey=https://httpbin.org/get, NSErrorFailingURLKey=https://httpbin.org/get, _NSURLErrorRelatedURLSessionTaskErrorKey=(\n    \"LocalDataTask <EA3B40B5-619F-452D-BB3E-66E6EEADD497>.<1>\"\n), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <EA3B40B5-619F-452D-BB3E-66E6EEADD497>.<1>, NSLocalizedDescription=cancelled}",
"reason": "cancelled",
"url": "https://httpbin.org/get"
},
"headers": {},
"reason": "cancelled"
}
CONSOLE LOG Https.request response {
"content": {
"body": "",
"description": "nativescript-https > Invalid SSL certificate! Error Domain=NSURLErrorDomain Code=-999 \"cancelled\" UserInfo={NSErrorFailingURLStringKey=https://httpbin.org/bytes/100000, NSErrorFailingURLKey=https://httpbin.org/bytes/100000, _NSURLErrorRelatedURLSessionTaskErrorKey=(\n    \"LocalDataTask <546B9BA5-8939-4898-8626-D4D813B42A51>.<1>\"\n), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <546B9BA5-8939-4898-8626-D4D813B42A51>.<1>, NSLocalizedDescription=cancelled}",
"reason": "cancelled",
"url": "https://httpbin.org/bytes/100000"
},
"headers": {},
"reason": "cancelled"
}
CONSOLE LOG Https.request response {
"content": {
"body": "",
"description": "nativescript-https > Invalid SSL certificate! Error Domain=NSURLErrorDomain Code=-999 \"cancelled\" UserInfo={NSErrorFailingURLStringKey=https://mockbin.com/request, NSErrorFailingURLKey=https://mockbin.com/request, _NSURLErrorRelatedURLSessionTaskErrorKey=(\n    \"LocalDataTask <437D0F6C-A429-4911-9072-2B88B95D205F>.<1>\"\n), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <437D0F6C-A429-4911-9072-2B88B95D205F>.<1>, NSLocalizedDescription=cancelled}",
"reason": "cancelled",
"url": "https://mockbin.com/request"
},
"headers": {},
"reason": "cancelled"
}

[kefahB]

Hi @AlexTiehuis .. there is a new version since 2 hours !

The certificate in the demo was expired ! see new demo version it should work.

If you dealing with Wildcard certificate (sub-domaine) you should set the commonName to *.domaine.com :

Https.enableSSLPinning({ 
   host: 'mydomain.nl', 
  commonName: '*.mydomain.nl',
   certificate: certificate 
});

[AlexTiehuis]

Hi @kefahB

I installed a new version of the demo app. Below the results:

1. Tap [GET Httpbin] button without SSL-Pinning:

   CONSOLE INFO file:///app/Users/Alex/nativescript/demos/nativescript-https/src/https.ts:35:13: nativescript-https > Disabled SSL pinning by default
   CONSOLE LOG Https.request response {
   "content": {
   "args": {},
   "headers": {
   "Accept": "*/*",
   "Accept-Encoding": "gzip, deflate, br",
   "Accept-Language": "en;q=1",
   "Host": "httpbin.org",
   "User-Agent": "demo/1.0 (iPhone; iOS 13.3; Scale/3.00)",
   "X-Amzn-Trace-Id": "Root=1-5e467401-babe92680e48bc285e388914"
   },
   "origin": "31.161.17.4",
   "url": "https://httpbin.org/get"
   },
   "headers": {
   "access-control-allow-credentials": "true",
   "Access-Control-Allow-Origin": "*",
   "Content-Type": "application/json",
   "Content-Length": "360",
   "Server": "gunicorn/19.9.0",
   "Date": "Fri, 14 Feb 2020 10:18:41 GMT"
   },
   "statusCode": 200
   }

2. Tap [Httpbin Pinning OFF] Tap [Httpbin Pinning ON, expired cert]

   CONSOLE LOG file:///app/Users/Alex/nativescript/demos/nativescript-https/src/nativescript-https/src/https.ts:27:14: nativescript-https > Enabled SSL pinning
   CONSOLE LOG file:///app/main-page.ts:85:14: enabled
   CONSOLE LOG Https.request response {
   "content": {
   "body": "",
   "description": "nativescript-https > Invalid SSL certificate! Error Domain=NSURLErrorDomain Code=-999 \"cancelled\" UserInfo={NSErrorFailingURLStringKey=https://httpbin.org/get, NSErrorFailingURLKey=https://httpbin.org/get, _NSURLErrorRelatedURLSessionTaskErrorKey=(\n    \"LocalDataTask <F29C88B7-A219-4B60-930B-535D4F2F1705>.<1>\"\n), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <F29C88B7-A219-4B60-930B-535D4F2F1705>.<1>, NSLocalizedDescription=cancelled}",
   "reason": "cancelled",
   "url": "https://httpbin.org/get"
   },
   "headers": {},
   "reason": "cancelled"
   }

   Seems correct, however...

3. Tap [Httpbin Pinning OFF] Tap [Httpbin Pinning ON] Tap [GET Httpbin]

   CONSOLE LOG file:///app/Users/Alex/nativescript/demos/nativescript-https/src/nativescript-https/src/https.ts:32:14: nativescript-https > Disabled SSL pinning
   CONSOLE LOG file:///app/main-page.ts:90:14: disabled
   CONSOLE LOG file:///app/Users/Alex/nativescript/demos/nativescript-https/src/nativescript-https/src/https.ts:27:14: nativescript-https > Enabled SSL pinning
   CONSOLE LOG file:///app/main-page.ts:78:14: enabled
   CONSOLE LOG Https.request response {
   "content": {
   "body": "",
   "description": "nativescript-https > Invalid SSL certificate! Error Domain=NSURLErrorDomain Code=-999 \"cancelled\" UserInfo={NSErrorFailingURLStringKey=https://httpbin.org/get, NSErrorFailingURLKey=https://httpbin.org/get, _NSURLErrorRelatedURLSessionTaskErrorKey=(\n    \"LocalDataTask <64B32475-EA6D-414E-A597-3731B2DA1071>.<1>\"\n), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <64B32475-EA6D-414E-A597-3731B2DA1071>.<1>, NSLocalizedDescription=cancelled}",
   "reason": "cancelled",
   "url": "https://httpbin.org/get"
   },
   "headers": {},
   "reason": "cancelled"
   }

   Still Cancelled

a. Is this what you mean by "Once you've enabled SSL pinning you CAN NOT re-enable with a different host or certificate file."? b. Is this version already available? I keep getting version 1.2.2

[EddyVerbruggen]

@AlexTiehuis 1.3.0 is on npm (you can check that on their website), and indeed if you want to toggle pinning on and off with different certs (which you won't do in a real app) you'll need to kill the app in between.

[kefahB]

@AlexTiehuis .. just to be sure .. did you add { from: { glob: "assets/*.cer" } } to your webpack config ??

[AlexTiehuis]

I just did and now it works as described. Thank you.