ATS blocks connection although requirements are met

Question

PhilippR OP

Created Feb ’16

Replies 2

Boosts 0

Views 1.7k

Participants 2

Hi,

I am trying to send a POST request to pages.jumio.com where I am getting the following error in the debug console:

"App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file."

For a few months we're trying to get this server properly configured, and thought we succeeded already - but obviously we aren't and not able to find out what's wrong.

A quick check on SSL checker says everything is correct:

https://www.sslshopper.com/ssl-checker.html#hostname=https://pages.jumio.com/index.php/leadCapture/save

Even the "nscurl --ats-diagnostics" command tested all conditions with result "PASS" (see below).

Please let me know what's left to make this work.

best regards,

Philipp

nbmaclnzpr:BAMCheckoutDemo prakuschan$ nscurl --ats-diagnostics --verbose https://pages.jumio.com/index.php/leadCapture/save
Starting ATS Diagnostics


Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://pages.jumio.com/index.php/leadCapture/save.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================


Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : PASS
---


================================================================================


Allowing Arbitrary Loads


---
Allow All Loads
ATS Dictionary:
{
    NSAllowsArbitraryLoads = true;
}
Result : PASS
---


================================================================================


Configuring TLS exceptions for pages.jumio.com


---
TLSv1.2
ATS Dictionary:
{
    NSExceptionDomains =     {
        "pages.jumio.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
        };
    };
}
Result : PASS
---


---
TLSv1.1
ATS Dictionary:
{
    NSExceptionDomains =     {
        "pages.jumio.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.1";
        };
    };
}
Result : PASS
---


---
TLSv1.0
ATS Dictionary:
{
    NSExceptionDomains =     {
        "pages.jumio.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
        };
    };
}
Result : PASS
---


================================================================================


Configuring PFS exceptions for pages.jumio.com


---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
    NSExceptionDomains =     {
        "pages.jumio.com" =         {
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---


================================================================================


Configuring PFS exceptions and allowing insecure HTTP for pages.jumio.com


---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
    NSExceptionDomains =     {
        "pages.jumio.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---


================================================================================


Configuring TLS exceptions with PFS disabled for pages.jumio.com


---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "pages.jumio.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---


---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "pages.jumio.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.1";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---


---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "pages.jumio.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---


================================================================================


Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for pages.jumio.com


---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "pages.jumio.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.2";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---


---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "pages.jumio.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.1";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---


---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "pages.jumio.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.0";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---


================================================================================

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’16

Note the text of the error: ATS is blocking an HTTP request, not an HTTPS request. Something in your app is issuing an HTTP request and that’s what’s causing this problem.

As to where the HTTP request is coming from, I suspect it’s this redirect.

$ curl -D /dev/stderr https://pages.jumio.com
HTTP/1.0 302 Found
Date: Tue, 02 Feb 2016 11:21:16 GMT
Server: Apache
Location: http://jumio.com
Vary: Accept-Encoding
Content-Length: 87
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: BIGipServersj04web-app_https=2634547210.47873.0000; path=/

…

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

PhilippR OP

Feb ’16

Thanks for your response, eskimo. I'll follow up with the server team to find out what's wrong.

best regards,

Philipp

0