iOS app cannot publish to licode server due to SSL error?

We have a domain with a wildcard SSL certificate (that works on all subdomains).

When I connect iOS app to licode hosted on subdomain A (which targets public host), iOS app is able to publish stream.

When I connect iOS app to licode hosted on subdomain B (which targets internal network ip address), iOS app is unable to publish stream.

Here are the licode logs with SSL error mentioned:

va_relay_1            | 1|erizoCon | 2017-06-14 01:33:09.798  - INFO: ErizoController - message: erizoClient connected, clientId: AJ1dudnJPEDBKUaVIDGW
va_relay_1            | 0|nuve     | 2017-06-14 01:33:09.809  - INFO: RPCPublic - message: consumed token, tokenId:  5940925587dda0012d51d999 , roomId: 59408bec87dda0012d51d98c, serviceId: 59408b4d057fd454e3097143
va_relay_1            | 1|erizoCon | 2017-06-14 01:33:09.820  - INFO: ErizoController - message: addPublisher requested, streamId: 229303206576727680, clientId: AJ1dudnJPEDBKUaVIDGW, video: true, data: [Object], state: erizo, attributes: false, audio: false, false
va_relay_1            | 1|erizoCon | 2017-06-14 01:33:09.820  - INFO: RoomController - message: addPublisher, streamId: 229303206576727680, video: true, data: [Object], state: erizo, attributes: false, audio: false, 
va_relay_1            | 1|erizoCon | 2017-06-14 01:33:09.821  - INFO: EcCloudHandler - message: createErizoJS, agentId: ErizoAgent
va_relay_1            | 1|erizoCon | 2017-06-14 01:33:09.824  - INFO: EcCloudHandler - message: createErizoJS success, erizoId: d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7, agentId: f9f3e909-32a8-c2f3-2256-640f6f17661f
va_relay_1            | 1|erizoCon | 2017-06-14 01:33:09.824  - INFO: RoomController - message: addPublisher erizoJs assigned, erizoId: d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7, streamId:  229303206576727680, 
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09.828  - INFO: ErizoJSController - message: Adding publisher, streamId: 229303206576727680, video: true, data: [Object], state: erizo, attributes: false, audio: false, 
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,830  - INFO [0x7f2323b01780] WebRtcConnection - id: 229303206576727680,  message: constructor, stunserver: , stunPort: 0, minPort: 30000, maxPort: 30010
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09.833  - INFO: ErizoJSController - message: WebRtcConnection status update, id: 229303206576727680, status: 101, 
va_relay_1            | 1|erizoCon | 2017-06-14 01:33:09.834  - INFO: ErizoController - message: addPublisher, state: PUBLISHER_INITIAL, clientId: AJ1dudnJPEDBKUaVIDGW, streamId: 229303206576727680
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09.921  - INFO: ErizoJSController - message: Process Signaling message, streamId: 229303206576727680, peerId: AJ1dudnJPEDBKUaVIDGW
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,921  - DEBUG [0x7f2323b01780] WebRtcConnection - id: 229303206576727680,  message: setting remote SDP
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,922  - DEBUG [0x7f2323b01780] WebRtcConnection - id: 229303206576727680,  message: Setting remote BW, maxVideoBW: 3000
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,922  - WARN [0x7f2323b01780] rtp.RtpExtensionProcessor - Unsupported extension http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,922  - DEBUG [0x7f2323b01780] WebRtcConnection - id: 229303206576727680,  message: Creating videoTransport, ufrag: T623, pass: eNpRDqLYpdlcW3V+XylG4zcc
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,922  - DEBUG [0x7f2323b01780] DtlsTransport - id: 229303206576727680,  message: constructor, transportName: video, isBundle: 1
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,933  - DEBUG [0x7f2323b01780] DtlsTransport - id: 229303206576727680,  message: creating active-client
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,933  - WARN [0x7f2323b01780] dtls.SSL - error in before/connect initialization
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,934  - DEBUG [0x7f2323b01780] DtlsTransport - id: 229303206576727680,  message: created
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,934  - DEBUG [0x7f2323b01780] DtlsTransport - id: 229303206576727680,  message: starting ice
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,934  - DEBUG [0x7f2323b01780] LibNiceConnection - id: 229303206576727680,  message: creating Nice Agent
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,935  - DEBUG [0x7f2323b01780] LibNiceConnection - id: 229303206576727680,  message: adding stream, iceComponents: 1
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,935  - DEBUG [0x7f2323b01780] LibNiceConnection - id: 229303206576727680,  message: setting remote credentials in constructor, ufrag:T623, pass:eNpRDqLYpdlcW3V+XylG4zcc
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,935  - DEBUG [0x7f2323b01780] LibNiceConnection - id: 229303206576727680,  message: setting remote credentials, ufrag: T623, pass: eNpRDqLYpdlcW3V+XylG4zcc
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,935  - DEBUG [0x7f2323b01780] LibNiceConnection - id: 229303206576727680,  message: setting port range, min_port: 30000, max_port: 30010
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,935  - DEBUG [0x7f2323b01780] LibNiceConnection - id: 229303206576727680,  message: gathering, this: 0x3517fb0
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,935  - DEBUG [0x7f229dffb700] LibNiceConnection - id: 229303206576727680,  message: starting g_main_loop, this: 0x3517fb0
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,936  - DEBUG [0x7f2323b01780] WebRtcConnection - id: 229303206576727680,  message: Discovered New Candidate, candidate: a=candidate:1 1 udp 2013266431 172.18.0.9 30000 typ host generation 0
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,936  - DEBUG [0x7f2323b01780] LibNiceConnection - id: 229303206576727680,  message: gathering done, stream_id: 1
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,936  - INFO [0x7f2323b01780] LibNiceConnection - id: 229303206576727680,  message: iceState transition, ice_config_.transport_name: video, iceState: initial, newIceState: cand_received, this: 0x3517fb0
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,936  - DEBUG [0x7f2323b01780] DtlsTransport - id: 229303206576727680,  message:NiceState, transportName: video, state: 1, isBundle: 1
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,937  - DEBUG [0x7f2323b01780] WebRtcConnection - id: 229303206576727680,  transportName: video, new_state: 2
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,937  - DEBUG [0x7f2323b01780] WebRtcConnection - id: 229303206576727680,  message: Getting Local Sdp
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,937  - DEBUG [0x7f2323b01780] DtlsTransport - id: 229303206576727680,  message: processing local sdp, transportName: video
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09,937  - DEBUG [0x7f2323b01780] DtlsTransport - id: 229303206576727680,  message: processed local sdp, transportName: video, ufrag: dro2, pass: gPhiMmogot4N5GIOYMuada
va_relay_1            | 2|erizoAge | 2017-06-14 01:33:09,937  - INFO [0x7f2323b01780] WebRtcConnection - id: 229303206576727680,  newGlobalState: 103
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] (remote_bitrate_estimator_single_stream.cc:61): RemoteBitrateEstimatorSingleStream: Instantiating.
va_relay_1            | 2|erizoAge | [erizo-d9b7ee8a-ab11-44cc-e0e8-f0e856604cc7] 2017-06-14 01:33:09.943  - INFO: ErizoJSController - message: WebRtcConnection status update, id: 229303206576727680, status: 103, 

Any ideas why it may be happening?

That is more likely due to Apple’s security policy. (If I understood your situation right)

Apple changed their SSL-policy with iOS 10. You apparently have encountered one of the impacts of that change.

Apple requires you to use a real SSL-certificate and have the server properly configured (DNS and all). That is not too easy to achieve in an internal network. A wildcard certificate most likely appears as a misconfigured server if the IP is in private range. You can, of course, get it working by using a private DNS and similar stuff. You can still use a self-signed certificate or a “misconfigured” server in development if you tweak the code, but that is likely a good reason to get your app rejected if you allow improperly configured servers in your submitted app.

You should check with Xcode what system level iOS errors you are getting.

We use real SSL cert.

Turns out that “dtls.SSL - error in before/connect initialization” is there in the logs during successful video transmission from webapp to another webapp.

@thehappycoder, Apparently I was not clear enough.

Your setup must have the correct DNS setup with proper A or AAAA records that map to the ip you are using. Even the reverse lookups have to match in order to have no errors with Apple’s default security policy. Having things working correctly in a private LAN requires some work. We encountered the problem after Apple changed their policy last year. We ended up with a quite complex setup in order to avoid the errors in a private network. Unfortunately I do not know all the details of the setup.

Actually the recommended behaviour is that all software should generate at least warnings and errors, preferably even refuse to connect if A/AAAA and reverse lookups do not math the information in the certificate.

In most cases it is, however, possible to tweak the code and relax the security policy intentionally.