App Transport Security Issue on Login

Question

App Transport Security Issue on Login

Closed this issue 4 years ago · 8 comments

atdfairfax commented 4 years ago

I'm getting the following error when I log in:

The resource could not be loaded because the App Transport Security Policy

The server URL that I have uses the following scheme:

https://<organisation>.lightning.force.com/

Using version 3.3 on OSX Big Sur (11.0.1)

Update:

I have found some more information via the console:

Got error sending API request <NSMutableURLRequest: 0x600003daaab0> { URL: https://<org>.lightning.force.com/services/Soap/u/47.0 } : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x600003161f50 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://<org>.lightning.force.com/services/Soap/u/47.0, NSErrorFailingURLKey=http://<org>.lightning.force.com/services/Soap/u/47.0, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}

But, the URL that I supplied uses https. Any idea why this is being re-written?

Answer 1 · 2020-11-19T18:49:03.000Z

Can you say what the real URL is so i can test with it, I've not been able to repro this (but I'm not on BS yet). If you don't want to post it publicly, then you can email it to me fellforce at gmail.com

Answer 2 · 2020-11-19T18:53:39.000Z

The only URL rewriting done by SoqlX is to deal with the retirement of www.salesforce.com as the login API endpoint. There's nothing that would rewrite https to http.

Answer 3 · 2020-11-21T17:26:10.000Z

ping @atdfairfax

Answer 4 · 2020-11-21T21:57:04.000Z

I was able to find an org with a lightning endpoint and can repro the problem.

Answer 5 · 2020-11-21T22:06:30.000Z

login requests to org.lightning.salesforce.com get redirected to http by the server, which then causes the App Transport failure on the client side. e.g.

curl -X POST https://superfell-dev-ed.lightning.force.com/services/Soap/u/47.0 -H "Content-type:text/xml" -v --data-binary "<s:Envelope xmlns:s='http://schemas.xmlsoap.org/soap/envelope/' xmlns='urn:partner.soap.sforce.com'><s:Body><login/></s:Body></s:Envelope>"
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 13.110.69.95...
* TCP_NODELAY set
* Connected to superfell-dev-ed.lightning.force.com (13.110.69.95) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=salesforce.com, inc.; CN=*.na138.force.com
*  start date: Mar 23 00:00:00 2020 GMT
*  expire date: Mar 24 12:00:00 2021 GMT
*  subjectAltName: host "superfell-dev-ed.lightning.force.com" matched cert's "*.lightning.force.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> POST /services/Soap/u/47.0 HTTP/1.1
> Host: superfell-dev-ed.lightning.force.com
> User-Agent: curl/7.64.1
> Accept: */*
> Content-type:text/xml
> Content-Length: 138
> 
* upload completely sent off: 138 out of 138 bytes
< HTTP/1.1 302 Found
< Date: Sat, 21 Nov 2020 22:02:51 GMT
< X-B3-TraceId: 4caf60167be0ad25
< X-B3-SpanId: 4caf60167be0ad25
< X-B3-Sampled: 0
< Cache-Control: no-cache,must-revalidate,max-age=0,no-store,private
< Set-Cookie: BrowserId=TO5AaCxFEeujI0N44WaoZQ; domain=.force.com; path=/; expires=Sun, 21-Nov-2021 22:02:51 GMT; Max-Age=31536000
< Location: http://superfell-dev-ed.lightning.force.com/services/Soap/u/47.0
< Content-Length: 0
< 
* Connection #0 to host superfell-dev-ed.lightning.force.com left intact
* Closing connection 0

Note the 'Location: http://superfell-dev-ed.lightning.force.com/services/Soap/u/47.0' near the end. I've not been keeping up with lightning, should login request be going there, or should they be going to .my.salesforce.com (which does appear to work)

Answer 6 · 2020-11-21T22:11:45.000Z

Based on https://developer.salesforce.com/docs/atlas.en-us.identityImplGuide.meta/identityImplGuide/faq_domain_name_what.htm it seems like login requests should be going to <org>.my.salesforce.com not the lightning URL.

Answer 7 · 2020-11-24T18:45:28.000Z

@atdfairfax did you try the org.my.salesforce.com suggestion? did that work? What lead you to think to use the lightning URL?

Answer 8 · 2020-12-09T10:53:46.000Z

@superfell yes, I did - you were correct; many apologies. org.my.salesforce.com works perfectly. Thank you and can't wait to start using it.