iOS Question An SSL error has occurred and a secure connection to the server cannot be made

dazwin788

Member
Licensed User
Hi all,

Hoping someone can help...

I am having a bizarre problem which I am unable to isolate concerning an SSL error that some users of my app are receiving when it fetches a file over HTTPS from our server. It only appears to affect some users, and only ever over 4G. The issue immediately goes away if the same phone is connected to WiFi. The error they are receiving is a generic one - "An SSL error has occurred and a secure connection to the server cannot be made". There does not appear to be a mobile network in common. Some phones on the same network (and in same physical location) are fine, whereas others on the same network are not. I cannot tie it down to a specific OS version either. The code in question is as follows (server address redacted):

(Note that I am using iHttpUtils2 in the B4i version of my app)

B4X:
Dim j As HttpJob
j.Initialize("", Me)
j.Download2("https://xxxxx.xxxx.xxx/xxxxxx/xxxxxx.php", Array As String("key", "abcdefghijkl", "lat", latitude, "lng", longitude, "app", appname))
    
Wait For (j) JobDone(j As HttpJob)
    
indLoading.Visible = False
    
If j.Success Then       
    HandleWebResponseGetStoresSuccess(j.GetString)               
Else       
    Msgbox(j.ErrorMessage, "An error occurred")               
End If
    
j.Release

It is apparently affecting Android users as well (running the same code but compiled with B4A) but I have not seen proof of that as yet to confirm that it is definitely the case.

The app is being used at an event today but I cannot see any Schannel errors logged on our server to indicate a TLS handshake failure. I have installed Wireshark on our server to see if I can see anything in the logs and confirm this 100%.

I don't believe there is an issue with the SSL certificate or server configuration as there are no issues browsing to sites on the server using the certificate (it is a multi-domain certificate, if that is of any relevance), and I have run a check on the SSL certificate using the Qualys SSL tester and it doesn't flag anything up of concern.

It seems like too many people are experiencing the error to think it is network settings on the phones, nor anything like a transparent proxy misbehaving as phones on the same network yield different results. I am also curious as to why switching to WiFi on the same device resolves the issue.

Without being able to replicate the issue myself it is frustratingly hard to work out what is going on. My next step might be to try a different port (if I am able) from 442 and perhaps a different certificate (although why is it OK over WiFi on the same device if there was a certificate issue??).

Any help gratefully received at this stage!

Thanks very much!!

PS. Apologies if I have made any faux-pas in this post - it is my first post in the forum.
 

Hamied Abou Hulaikah

Well-Known Member
Licensed User
Longtime User
Read this:
 
Upvote 0

dazwin788

Member
Licensed User
Thanks HAH, but that just means that apps can no longer make insecure HTTP calls by default (which is not something my app does anyway). The issue I am having is with secure HTTPS calls over 4G causing an SSL error on some devices but not others.
 
Upvote 0

dazwin788

Member
Licensed User
I am afraid not, HAH. The SSL certificate is not self-signed. We use a "proper" Certificate Authority issued certificate.
 
Upvote 0

dazwin788

Member
Licensed User
Did you try to execute SSL test under Safari on iPhone, connected using 4G ?

This is one thing I would like to do but not been able to - the issue being that I am not physically at the event and the staff are busy serving customers, so it's really hard to get more info or get them to test things. They have another event on this coming Tuesday with 400 attendees (many of whom will be using the app) - I can perhaps ask them to test that then but ideally would like to find a solution beforehand (as you can imagine)
 
Upvote 0

Semen Matusovskiy

Well-Known Member
Licensed User
I mean to run on own iPhone from home. Guess, your server works in any case.
I had similar situation, but in my case it was an error, when user used corporate Wi-Fi.

In your case I suspect exactly SSL. That Wi-Fi works is a little strange, but proxy are able to replace SSL certificate on fly.
 
Upvote 0

dazwin788

Member
Licensed User

Browsing on all the phones I have tested on to sites protected by the same cert on the server is fine, as is the app itself. The SSL certificate and server config seems to check out fine on Qualys scan. Most users do not have a problem on 4G. It's very odd that switching to WiFi on those phones that do have the issue resolves it. I was wondering if it is a transparent proxy causing the issue but not sure why two phones on the same phone network would have different results, as I would presume (being in same physical location as well) the request would be going through the same path to the server.

I'm actually just wondering if maybe the network is trying to redirect the user to some sort of service/error page (like to say that the subscriber is out of mobile data) and that is causing the issue. In which case using a different port number might work (or at least yield a different error). I'm not sure if it is possible to get more information on the error once the HttpJob fails.
 
Upvote 0

dazwin788

Member
Licensed User
One popular mistake is to mix with http. For example, to include external picture or css style.

With web pages, yes, but this is a single HTTPS call to a server side script that returns a string.

I managed to replicate the error myself at a coffee shop this morning when partially connected to the WiFi but not logged in to it (so did not have a "proper" Internet connection). I suspect this is what is happening (although the screenshots I see show "4G" on the phone). I think I might just change the error to ask the user to check the network connection and to retry on WiFi. Can't think of what else would be causing it, or what else to do.
 
Upvote 0

Semen Matusovskiy

Well-Known Member
Licensed User
I'd begin with simple - download static binary file (for example, jpg). An error will show that a problem exactly in ssl certificate. If there is no error, try dummy php without any scripts. And so on.
 
Upvote 0
Cookies are required to use this site. You must accept them to continue using the site. Learn more…