Hi,
I’m trying to access a server we use to save player’s actions. It works on Android & HTML5, but when I call the exact same service on iOS, I receive this answer:
!SSL Connect error
Here is how I call it:
var urlLoader:URLLoader = new URLLoader();
urlLoader.addEventListener(Event.COMPLETE, _onComplete);
urlLoader.addEventListener(IOErrorEvent.IO_ERROR, _ioErrorHandler);
urlLoader.addEventListener(HTTPStatusEvent.HTTP_STATUS, _onHttpStatus);
urlLoader.addEventListener(HTTPStatusEvent.HTTP_RESPONSE_STATUS, _onReponseStatus);
urlLoader.addEventListener(ProgressEvent.PROGRESS, _onProgress);
urlLoader.addEventListener(Event.OPEN, _onOpen);
urlLoader.load(new URLRequest("https://myserverurl.com/"));
For the HTML5 and Android versions I’m using the akifox-asynchttp lib, the error is slightly different:
SSL - No CA Chain is set, but required to operate
SSL is not really “my thing”, I don’t really know why I get this answer and if it’s because of Haxe or the server Certificat.
I’ve read many stuff on the web, sounds like it might be Haxe related.
Note that it works when using this URL : https://en.wikipedia.org/wiki/Haxe
What do you think, any advice or thing I could try to fix this issue (app or server-side)?
Thx,
Note, I’m using:
I can give you the URL via mp, if you want to try it by yourself.
Thanks.
I might have found out why it’s not working.
Seems like Apple changed it’s way of considering HTTPS / SSL request : SOURCE
It seems to be a common misinterpretation, that NSAllowsArbitraryLoads is a switch to enable or disable ATS. As soon as you are doing a https:// request, you must ensure, that you meet the ATS-requirements: a valid certificate installed on the server (without wildcard, exactly matching the server’s domain name), server supports TLS 1.2 with forward secrecy.
The certificat on the server I use is using a wildcard *.mydomain.com, this might be why I got this SSL error though.
I found this PR: https://github.com/openfl/lime/pull/684
but got no luck adding <config:ios allow-insecure-http=“http://alimentariummiddleware.coorpacademy.com” />
I also try to directly edit the plist file adding this lines:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>http://mydomain.com</key>
<dict>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
But I got this error:
_ioErrorHandler !Unsupported protocol
I’m running out of idea 
Any suggestion?
I think <config:ios allow-insecure-http="false" />, <config:ios allow-insecure-http="true" /> (our default) or one or more tags like <config:ios allow-insecure-http="mydomain.com" /> may all be supported by our command-line tools. If you try this and it does not affect the generate plist, let me know 
It’s possible that it doesn’t like the “http://” in the <key /> you added (I’m not sure if it expects a protocol prefix or not?), and there is the possibility that you are using a server that is trying to send a different protocol than we support in our embedded library of cURL
We use “axTLS” as the SSL library at the moment, here’s a matrix that shows what protocols are supported:
https://curl.haxx.se/docs/ssl-compared.html
I’d like us to move to (probably) mbedTLS in the future
Yes it works, it adds this to the plist.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>subdomain.mydomain.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
But I still get a SSL Error:
ioErrorHandler: ! Unsuported Protocol.
I got an error in my log (on XCode) which doesn’t seems to come from Haxe but iOS (don’t have any class name before this log):
SSL Error 70
Do you think there is anything I can do from Haxe side, or is it something which needs to be fixed from server side?
Thanks again for your help
Still investigating…
It’s probably related to the Certificat, but it’s not because se server is out of disk and I’m not using citrix.
We’ve duplicate our middleware from our server to Heroku (using Heroku standard certificat) and I don’t see SSL error anymore.
Based on this list, it seems like when a request is passed through a certificat using “Politique EV” (with extended validation" it works but when it’s with a certificat using a non EV politic it doesn’t.
Adding this lines to the .plist :
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
I got this error :
_ioErrorHandler text : Unsupported protocol
When I check Facebook / Wikipedia or Heroku it seems like they “accept” TLS 1.0 / 1.1 / 1.2 whereas our certificat (via cloudflare) just 1.2 & 1.3.
This is the two only differences I see between my certificat and those used by Facebook / wikipedia or heroku, but I can’t really find a way to make it work…
Note that when I compile the exact same code to HTML5 it works.
Thank you for your help.
Okay, then it sounds like the goal is to replace our SSL library so that we can support more protocols. In the meantime, do you see any way to accept additional TLS versions on your server?
1 Like
Using https://www.howsmyssl.com/a/check :
{"given_cipher_suites":["TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_RC4_128_SHA","TLS_RSA_WITH_RC4_128_MD5"],"ephemeral_keys_supported":false,"session_ticket_supported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{"TLS_RSA_WITH_RC4_128_MD5":["uses RC4 which has insecure biases in its output"],"TLS_RSA_WITH_RC4_128_SHA":["uses RC4 which has insecure biases in its output"]},"tls_version":"TLS 1.1","rating":"Bad"}
The certificate we use, use TLS 1.2, that would explain the ‘Unsupported protocol’ error.
We modified our server to make it accept TLS1.1, but I now I get the “SSL connexion error” again.
It’s driving me crazy 
Do we know what is throwing the error? The client-side library, or the server? https://stackoverflow.com/questions/37529754/how-to-debug-an-ssl-connect-error-using-libcurl-in-c-vs2013#37639779 I wonder if we can enable extra debugging on our side (if that is the source) to get better details
…and my apologies, there are many other developers who use OpenFL in native with their servers just fine. This doesn’t mean you’ve done something wrong, but there is a path through, and for security, it would be best for us to upgrade to a smarter TLS library
I got this error listenning for:
urlLoader.addEventListener(IOErrorEvent.IO_ERROR, _ioErrorHandler);
And receive:
[IOErrorEvent type="ioError" bubbes=true cancalable=false text="SSL connect error" errorID=0]
I would say the error is throwing by the client, but I’m not 100% sure.
If you tell me how get more info / log I’ll give it a try.
Still no luck, that’s so frustrating…
We’ve downgraded the server to support TLS 1.1, but I still get the same SSL Error… I don’t really know what to do from here, I can give you access to the Middleware url or certificat diagnostic if you need it via private message.
I’m thinking of recoding everything using AS3 to publish it with AIR, I’ve lost way to much time trying to fix this…
Maybe someone can give it a try, we’ll pay for it. Unfortunately we can’t afford to be late any more, this is critical for our business (and our client).
Thank you.
Have you used the new AIR target yet?
lime config AIR_SDK path/to/your/air/sdk
then
openfl test ios -air
or
openfl test air -ios
Have you tried connecting to your server from OpenFL using a native desktop target? Does the same error? If it does, would you mind sharing some information in a private message so I can try a URLRequest from here?
Thanks
Yep I’ve tried the new AIR Target, but I had a white screen, that’s maybe I’m using Staling / Robotlegs on top of openFL…
I’ll try again who knows
Yes it works as it should when targeting Android & HTML5.
I’ll send you a message with the URLs right away.
EDIT:
Regarding AIR targeting, I was actually stuck with an error in the class Dictionary:
HaxeToolkit\haxe\lib\openfl/6,2,2/externs/core/openfl/openfl/utils/Dictionary.hx:536: characters 28-51 : Invalid number of type parameters for openfl.utils.Dictionary
abstract Dictionary <K, V> (openfl.utils.Dictionary) from openfl.utils.Dictionary to openfl.utils.Dictionary {
That’s why I focused (and succeed) on resolving display problem I originally got on iOS.
