How to fix ‘TIC SSL Trust Error’ in iOS?

Question

When I tried to login to the application using a webservice. I also set my plist-file like the following

I got the following error. This error

Answer 1

IKKA - s answer in Swift 4.2 version

extension CustomViewController: URLSessionDelegate {
    func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
        if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodClientCertificate) {
            completionHandler(.rejectProtectionSpace, nil)
        }
        if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) {
            let credential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
            completionHandler(.useCredential, credential)
        }
    }
}

Answer 2

Swift 5.1

Your class has to comply with URLSessionDelegate and implement the "didReceive Challenge" function.

These Apple Developer pages illustrates the issue and provides a lot of insight on how to securely fix this issue:

Handling an Authentication Challenge

Performing Manual Server Trust Authentication

Here is an example of how to fix this issue for Dev or QA environments:

func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
    #if DEBUG
    if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
        if challenge.protectionSpace.host == "YourTrustedDevOrQaDomain" {
            // At this point you can prevent a domain that is pretending to be a trusted domain by challenging the user to present some credentials or a security mechanism for authentication. 
            if let serverTrust = challenge.protectionSpace.serverTrust {
                let credential = URLCredential(trust: serverTrust)
                completionHandler(URLSession.AuthChallengeDisposition.useCredential, credential)
            }
        }
    }
    #endif
}

Answer 3

Guides by apple developer document.

ssl changes iOS 11 https://forums.developer.apple.com/thread/80197

The certificate viewer also has more specific messaging. In the screenshot below you can see that a warning is displayed for the specific trust error. In this case, the error reads “This certificate cannot be verified (weak digest algorithm)” because it is signed with SHA-1.

In some cases it's useful to connect to a server and issue it commands for testing purposes. For typical Internet protocols (HTTP, SMTP, NNTP, and so on) you can do this with the telnet tool. This does not work, however, if the protocol uses TLS. In that case your best option is the s_client subcommand of the openssl tool. Listing 1 shows how you can use this tool to manually get the contents of (remember that HTTPS uses port 443).

Listing 1 Using openssl s_client

$ openssl s_client -connect www.apple.com:443
CONNECTED(00000003)
[...]
GET / HTTP/1.1
Host: www.apple.com

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Oracle)
Content-Length: 9464
Content-Type: text/html; charset=UTF-8
ntCoent-Length: 9516
Cache-Control: max-age=47
Expires: Mon, 25 Jun 2012 16:18:24 GMT
Date: Mon, 25 Jun 2012 16:17:37 GMT
Connection: keep-alive

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
[...]
</html>
closed
$

The s_client subcommand supports a number of useful debugging options. For example:

You can supply the -cert argument to have it respond to client certificate requests. You can specify the -showcerts option to get the complete list of certificates provided by the server. The -debug and -msg options enable low-level debugging features. See the man page for more information about these options and more.

Answer 4

You can input this in Appdelegate.m

Here is the code:

@implementation NSURLRequest(DataController)
   + (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host{
   return YES;
}  

Answer 5

The following code works for me. I implemented delegate method for NSURLSessionDelegate (didReceiveChallenge)

NSURLSessionConfiguration *sessionConfiguration = [NSURLSessionConfiguration defaultSessionConfiguration];
NSURLSession *session = [NSURLSession sessionWithConfiguration:sessionConfiguration delegate:self delegateQueue:Nil];
NSURLSessionDataTask *task = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error){
                    //Handle the response
   }];
[task resume];

//NSURLSessionDelegate method

  - (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler{

      if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]){
        if([challenge.protectionSpace.host isEqualToString:@"yourdomain.com"]){
          NSURLCredential *credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
      completionHandler(NSURLSessionAuthChallengeUseCredential,credential);
    }
  }
}