Getting NSURLError (TIC Read Status [12:0*0]: 1:57) in XCode for the iOS App running on windows server without TLS 1.2 & Forward Secrecy setup. After going through the iOS security guide, we enabled TLS 1.2. After that also we are getting the same error message. Is Forward Secrecy mandatory? Is Forward Secrecy the reason for this issue? Please help.
Getting NSURLError in XCode for the iOS App running on windows server without Forward Secrecy setup. Is Forward Secrecy mandatory?
Forward secrecy is strongly recommended. Moreover, as you’ve already been able to update your server to support TLS 1.2, it seems likely that you can add forward secrecy support as well.
If this isn’t possible right now then you can add an
NSExceptionRequiresForwardSecrecyShare and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Thanks Eskimo.I really appreciate your help. Here is the PLIST setup. With this setup we are getting the above said error message. Do you thik it need to be changed? If yes, please let us know what need to be changed?
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key> <true/> <key>NSAllowsArbitraryLoadsInWebContent</key> <true/> <key>NSExceptionDomains</key> <dict> <key>yourdomain.com</key> <dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow HTTP requests-->
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>Here is the PLIST setup.
Where?
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"I added it as a pic and it was not showing up. I added it as text now.
I added it as text now.
Thanks. In this case text is more useful anyway.
Your property list seems to disable forward secrecy for
yourdomain.comyourdomain.comPresuming that this is a redaction, it’s hard to say what’s going on here without being able to poke at your server. My recommendation is that you start by confirming that this is an ATS issue. You can do that by disabling ATS entirely, with a property list like this:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>If you do this does your connection go through?
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Yes yourdomain.com is not the actual domain name.
The app was configured the way you suggest 2-3 years ago and by then we faced an issue and changed it as i posted.
OK. My suggestion is that, as an experiment, you change it as I previously posted. That will tell you whether ATS is involved. If you disable ATS entirely for your app and you still have TLS problems then you know that the issue is deeper in the TLS stack.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Hi Eskimo -
I work with Jetwin as well. We have had ATS disabled for a few years now, I assume becuase errors were occurring before. This issue began with the introduction of iOS12+. Devices running on previous versions have no issues.
If I remove the Allow Arbitrary Loads key and re-run simulation with deployment target of iOS12+ on a device running 12+ :
Our development environment fails as it was with ATS disabled. In this environment, we have updated the security configuration to enable TLS1.2.
2018-11-26 10:48:53.308973-0700 Vistar[25488:2570487] Page did fail with error. <redacted>
2018-11-26 10:48:53.309220-0700 Vistar[25488:2570487] Error Domain=NSURLErrorDomain Code=-999 "(null)" UserInfo={NSErrorFailingURLStringKey=<redacted>, NSErrorFailingURLKey=<redacted>}
2018-11-26 10:48:53.314546-0700 Vistar[25488:2570837] CFNetwork Diagnostics [3:479] 10:48:53.314 {
~HTTPProtocol: nullptr request
Request: null
sent: 732
received: 0
cell sent: 0
cell received: 0
} [3:479]
2018-11-26 10:48:53.314850-0700 Vistar[25488:2570837] TIC Read Status [7:0x0]: 1:57
Production does not load at all and we have not enabled TLS1.2 on it yet. We are still exporing the proper configurations in development before we employ them in production.
2018-11-26 10:51:10.234166-0700 Vistar[25638:2573281] Page did fail with error.
2018-11-26 10:51:10.234366-0700 Vistar[25638:2573281] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9836, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x600002749b30 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=<redacted>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9836, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=<redacted>, _kCFStreamErrorCodeKey=-9836}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=<redacted>, NSErrorFailingURLStringKey=<redacted>, _kCFStreamErrorDomainKey=3}
Corrected to show contents of images
Is your server accessible on the public Internet? If so, post the URL and I’ll take a look. If not, my recommendation is that you open a DTS tech support incident so that I can help you in private.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Hello Quinn -
Yes, it is publically accessible. The production URL for the mobile site is https://myvistar.vistar.com/m
Thank you.
Best regards,
Brett
Yes, it is publically accessible.
Neat-o!
Poking at that server with
TLSTool$ TLSTool s_client -connect myvistar.vistar.com:443
* input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.0
* cipher: RSA_WITH_AES_128_CBC_SHA
* trust result: unspecified
* certificate info:
* 0 + rsaEncryption 2048 sha256-with-rsa-signature 'myvistar.vistar.com'
* 1 + rsaEncryption 2048 sha256-with-rsa-signature 'Entrust Certification Authority - L1K'
* 2 + rsaEncryption 2048 sha256-with-rsa-signature 'Entrust Root Certification Authority - G2'
^CThere seems to be two problems here:
It’s negotiated TLS 1.0 rather than TLS 1.2.
The cypher suite (
) does not support forward secrecy.RSA_WITH_AES_128_CBC_SHA
You should fix this server; while it’s not actively insecure, it’s a long way from the best practice security that is ATS’s ultimate goal.
In the meantime, let’s look at ATS exceptions. Based on the above I crafted an ATS exception dictionary like so:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>myvistar.vistar.com</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>With this in place my test code (pasted in below) was able to connect to your server without any problems:
2018-11-28 08:54:56.944536+0000 xxx[12331:714093] task start
2018-11-28 08:54:57.745704+0000 xxx[12331:714133] task finished with status 200, bytes 4280Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"NSLog("task start")
let url = URL(string: "https://myvistar.vistar.com/m")!
let request = URLRequest(url: url, cachePolicy: .reloadIgnoringLocalCacheData, timeoutInterval: 60.0)
URLSession.shared.dataTask(with: request) { (data, response, error) in
if let error = error as NSError? {
NSLog("task transport error %@ / %d", error.domain, error.code)
return
}
let response = response as! HTTPURLResponse
let data = data!
NSLog("task finished with status %d, bytes %d", response.statusCode, data.count)
}.resume()Hi Quinn -
With the suggested configuration, we can hit the server and log in page, but once a log in attempt is made, it produces the below diagnotistic output simulating iPhone 7 (12.1) is below. It is actually the same error we get today for the existing app in the App Store that is configured with ATS disabled.
2018-11-28 08:41:42.637467-0700 Vistar[35138:2786742] CFNetwork Diagnostics [3:363] 08:41:42.637 {
LoaderWhatToDo: (null)
Request: {string = https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG, encoding = 134217984, base = (null)}
CachePolicy: 1
WhatToDo: originload
CreateToNow: 0.00029s
} [3:363]
2018-11-28 08:41:42.637798-0700 Vistar[35138:2786744] CFNetwork Diagnostics [3:364] 08:41:42.637 {
AddCookies Continue: request POST https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG HTTP/1.1
HTTPProtocol: Task: 787c00
} [3:364]
2018-11-28 08:41:42.638273-0700 Vistar[35138:2786744] CFNetwork Diagnostics [3:365] 08:41:42.637 {
HTTPCookieStorage::copyCookiesForURL:
Request URL: https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG
MainDocument URL: https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG
Cookie_0_0x6000015a5e10: dict [9] {
Domain: myvistar.vistar.com
Session: YES
Secure: NO
Created: 2018-11-28 15:35:33 +0000
Partition: NULL
Path: /
Name: _SESSIONKEY_VMOBILE
HTTPOnly: YES
2018-11-28 08:41:42.644550-0700 Vistar[35138:2786744] CFNetwork Diagnostics [3:366] 08:41:42.644 {
Protocol Enqueue: request POST https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG HTTP/1.1
Request: {url = https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG, cs = 0x0}
Message: POST https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Origin: https://myvistar.vistar.com
Cookie: _SESSIONKEY_VMOBILE=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16B91
Referer: https://myvistar.vistar.com/m
Accept-Language: en-us
Accept-Encoding: br, gzip, deflate
} [3:3
2018-11-28 08:41:42.647072-0700 Vistar[35138:2786744] CFNetwork Diagnostics [3:367] 08:41:42.646 {
TCP Connection Start: (null)
Connection: 0x600001caa640
Connection ID: 10
} [3:367]
2018-11-28 08:41:42.790901-0700 Vistar[35138:2786783] CFNetwork Diagnostics [3:368] 08:41:42.790 {
TCP Connection Connected: (null)
Connection: 0x600001caa640
Connection ID: 10
Error: 16
} [3:368]
2018-11-28 08:41:42.791884-0700 Vistar[35138:2786783] CFNetwork Diagnostics [3:369] 08:41:42.791 {
Prepare Transmission: (null)
} [3:369]
2018-11-28 08:41:42.793548-0700 Vistar[35138:2786744] CFNetwork Diagnostics [3:370] 08:41:42.793 {
Did Send Body: (null)
Loader: {url = https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG, cs = 0x0}
Bytes Written: 45
Total Written: 45
Total Expected: 45
} [3:370]
2018-11-28 08:41:42.793957-0700 Vistar[35138:2786744] CFNetwork Diagnostics [3:371] 08:41:42.793 {
touchConnection: (null)
Loader: {url = https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG, cs = 0x0}
Timeout Interval: 2147483647.000 seconds
} [3:371]
2018-11-28 08:41:42.830453-0700 Vistar[35138:2786744] CFNetwork Diagnostics [3:372] 08:41:42.830 {
destroyReadStream: request POST https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG HTTP/1.1
Request: {url = https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG, cs = 0x0}
sent: {value = +639, type = kCFNumberSInt64Type}
received: {value = +0, type = kCFNumberSInt64Type}
cell sent: {value = +0, type = kCFNumberSInt64Type}
cell received: {value = +0, type = kCFNumberSInt64Type}
} [3:372]
2018-11-28 08:41:42.830524-0700 Vistar[35138:2780555] Page did fail with error. https://myvistar.vistar.com/m
2018-11-28 08:41:42.830692-0700 Vistar[35138:2780555] Error Domain=NSURLErrorDomain Code=-999 "(null)" UserInfo={NSErrorFailingURLStringKey=https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG, NSErrorFailingURLKey=https://myvistar.vistar.com/CGI-BIN/lansaweb?webapp=WB001M01+webrtn=verifyLogin+ml=LANSA:XHTML+partition=PRX+language=ENG}
2018-11-28 08:41:42.836281-0700 Vistar[35138:2786744] CFNetwork Diagnostics [3:373] 08:41:42.836 {
~HTTPProtocol: nullptr request
Request: null
sent: 639
received: 0
cell sent: 0
cell received: 0
} [3:373]
2018-11-28 08:41:42.836495-0700 Vistar[35138:2786744] TIC Read Status [10:0x0]: 1:57At this point I think I’ve taken this about as far as I can on DevForums. I recommend that you open a DTS tech support incident so that I can continue the investigation in that context.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Hi Quinn -
Thank you for your assistance. I have submitted the TSI.
Best Regards,
Brett