NSURLSession/NSURLConnection Error - ATS failed system trust - (kCFStreamErrorDomainSSL, -9802) TLSv1.3

Question

Created Aug ’19

Replies 1

Boosts 0

Views 5.1k

Participants 2

I wrote an entire summary of the issue I am facing, however, the Apple forum kept giving me an error "The message contains invalid characters."....

Basically, I'm running into an issue with NSURLSession and TLSv1.3. It appears that no matter what settings I have specified within my info.plist file, I am unable to send an https request to my local vagrant machine, without receiving the following error:

2019-08-08 12:17:28.857383-0700 MyApp[8307:987977] ATS failed system trust

2019-08-08 12:17:28.857604-0700 MyApp[8307:987977] System Trust failed for [1:0x6000015ee280]

2019-08-08 12:17:28.858051-0700 MyApp[8307:987977] TIC SSL Trust Error [1:0x6000015ee280]: 3:0

2019-08-08 12:17:28.868049-0700 MyApp[8307:987977] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

2019-08-08 12:17:28.868257-0700 MyApp[8307:987977] Task <AF1ECF52-6FCD-4BB0-8765-FD6A2346B749>.<1> HTTP load failed (error code: -1200 [3:-9802])

2019-08-08 12:17:28.868514-0700 MyApp[8307:987919] Task <AF1ECF52-6FCD-4BB0-8765-FD6A2346B749>.<1> finished with error - code: -1200

Here is a link that shows all of the settings I have enabled for this project.

Thank you in advance for your help!!

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’19

iOS does two levels of HTTP server trust evaluation:

Every TLS connection does a default, RFC 2818-style server trust evaluation (A).
HTTPS requests made by apps using high-level APIs, like
```
NSURLSession
```
, apply additional security checks in a process known as App Transport Security (ATS) (B).

The message ATS failed system trust indicates that A has failed, so no matter what you do with B the connection is not going to go through.

As to how you should proceed here, that depends on your overall goals. Reading through the doc you linked to, it seems like you’re trying to set up a local server for testing. If so, I recommend that you leave both A and B alone, and instead give your server a certificate that the system trusts. You can do this as follows:

Communicate with your your server via its
```
.local
```
name (rather than a IP address).
Create your own custom certificate authority (CA).
Have that CA issue a certificate for your server under its
```
.local
```
name.
Install the CA’s root certificate on your test device.

Your app will then be able to issue HTTPS requests to the server without customising HTTPS server trust evaluation in code.

For more background on this see:

QA1948 HTTPS and Test Servers
Technote 2326 Creating Certificates for TLS Testing
Technote 2232 HTTPS Server Trust Evaluation

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0