Bug 24235 - [iOS] Use self-signed certificate in local development does not work when WebView.Source set in OnAppearing()
Summary: [iOS] Use self-signed certificate in local development does not work when Web...
Alias: None
Product: Forms
Classification: Xamarin
Component: Forms ()
Version: 1.2.3
Hardware: PC Windows
: Normal normal
Target Milestone: ---
Assignee: Bugzilla
Depends on:
Reported: 2014-11-03 20:07 UTC by Jon Goldberger [MSFT]
Modified: 2016-03-25 18:09 UTC (History)
4 users (show)

Tags: AC
Is this bug a regression?: ---
Last known good build:

Test Project (2.14 MB, application/zip)
2014-11-03 20:07 UTC, Jon Goldberger [MSFT]

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:

Description Jon Goldberger [MSFT] 2014-11-03 20:07:29 UTC
Created attachment 8610 [details]
Test Project

Use self-signed certificate in local development does not work when WebView.Source set in OnAppearing(), but does work when set in the Page constructor.

I have not been able to reproduce this as I do not have a local SSL server to test with. 

## Customer's description of the issue:

I am having issues getting a UIWebView to accept a self-signed certificate that is used during development/debugging on my local machine.

The code mimics the information Apple provides on Performing Custom TLS Chain Validation (https://developer.apple.com/library/ios/DOCUMENTATION/Cocoa/Conceptual/URLLoadingSystem/Articles/AuthenticationChallenges.html#//apple_ref/doc/uid/TP40009507-SW9) and Overriding TLS Chain Validation Correctly (https://developer.apple.com/library/ios/DOCUMENTATION/NetworkingInternet/Conceptual/NetworkingTopics/Articles/OverridingSSLChainValidationCorrectly.html#//apple_ref/doc/uid/TP40012544-SW1).

The code uses an NSUrlConnectionDelegate to add the self-signed cert as an anchor in the trust. This functionality works, but inconsistently. Setting the Source property of the Xamarin Forms WebView in the constructor of a ContentPage exhibits the correct behavior. The self-signed certificate gets added to the trust and the WebView loads the page. Setting the Source property in the Appearing event of a ContentPage does not work. The self-signed certificate is getting added to the trust but doesn't get used and the WebView doesn't load the page.

A further example, and one that is much closer to the actual use case of our application, is navigating to a secured page on a redirect from a different non-secured page. In the example project, example 3 loads a non-secured page that has a button that when posted back to the server issues a redirect to the secured page. The first time the button is clicked, the self-signed certificate gets added to the trust, but the WebView still doesn't load the page because it believes the self-signed certificate to be invalid. However, clicking the button a second time does successfully load the secured page in the WebView as it appears that the self-signed certificate is now an anchor in the trust.

I'd like to know how to have this work consistently using Xamarin and/or what working alternatives there are for using a self-signed certificate during local development.

## Notes

I am filing this against Xamarin Forms as it seems significant, perhaps timing wise, that setting the source fails in OnAppearing but succeeds in the Page constructor. Of course feel free to change the product if my thinking is wrong on this.
Comment 2 Jon Goldberger [MSFT] 2014-11-03 20:22:30 UTC
From the customer about the local html pages he is using for testing on his local machine's http/https server:

We don’t have those pages publically accessible for demonstration, but the pages themselves are nothing special and easily created and pluggable into the example as they are referenced by constants. SecurePage is just a basic html page that displays the text "success". NonSecuredPage just has a link that redirects to SecurePage.
Comment 3 Ram Chandra 2015-08-25 14:14:10 UTC
I tried to reproduce this issue but I am not able to reproduce this issue, we may have to see if a developer can figure out what's going on from the stack trace and attached project.
Comment 4 Jason Smith [MSFT] 2016-03-25 18:09:20 UTC
No reproduction ever provided