iOS 11 HTTPS network request failure with self-signed cert

App & System Services Networking Network

hanxuanfromtoronto OP

Created Sep ’17

Replies 17

Boosts 0

Views 58k

Participants 12

For testing purpose, we use a self-signed cert, loaded as a bundle resource for network requests.

It works fine on Xcode8 + iOS10 devices and simulators.

On Xcode9 and iOS 11, however, prompts with error as:

----------------

<APIClient.swift> call [#77]

Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x1c0111f70>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(

"<cert(0x1070fb600) s: *.😎 i:🙂>",

"<cert(0x1070fce00) s:🙂 i: 2048 offline root>",

"<cert(0x1070fd600) s: 2048 offline root i: 2048 offline root>"

), NSUnderlyingError=0x1c465e180 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x1c0111f70>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(

"<cert(0x1070fb600) s: *.😎 i:🙂>",

"<cert(0x1070fce00) s:😎 i: 2048 offline root>",

"<cert(0x1070fd600) s: 2048 offline root i: 2048 offline root>"

)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/

----------------

It can be resolved by adding:

<key>NSAppTransportSecurity</key>

<dict>

<key>NSAllowsArbitraryLoads</key>

<true/>

</dict>

I wonder if the security policy is changed, like self-signed cert is totally prohibited on iOS 11?

If yes, is there a link/documentation reference?

Boost

JimCarry361 OP

Feb ’19

Everything above doesn't work, if you work with AVFoundation API. AVPlayer in particular. I've added set 'allow arbitary loads' to yes, added exception domains(to be sure it works). Nothing helps, got an error "Error Domain=NSOSStatusErrorDomain Code=-1202 "(null)"}, NSLocalizedDescription=The certificate for this server is invalid." Other requests via https to the same server works, while AVPlayer API - doesn't. Any idea why?

Piaojin OP

Jun ’19

Hi,Eskimo.Recently, My app will enable ATS and support ATS. I use `/usr/bin/nscurl --ats-diagnostics my_url` to verify server API. I get the following report and the question is how can I know the server API is conformed to ATS or not?

Starting ATS Diagnostics

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to xxxxx.

A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.

Use '--verbose' to view the ATS dictionaries used and to display the error received in URLSession:task:didCompleteWithError:.

================================================================================

Default ATS Secure Connection

---

ATS Default Connection

Result : PASS

---

================================================================================

Allowing Arbitrary Loads

---

Allow All Loads

Result : PASS

---

================================================================================

Configuring TLS exceptions for xxxx

---

TLSv1.3

2019-06-10 14:05:15.205 nscurl[96230:2204640] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9858)

Result : FAIL

---

TLSv1.2

Result : PASS

---

TLSv1.1

Result : PASS

---

TLSv1.0

Result : PASS

---

================================================================================

Configuring PFS exceptions for ***

---

Disabling Perfect Forward Secrecy

Result : PASS

---

================================================================================

Configuring PFS exceptions and allowing insecure HTTP for xxxx

---

Disabling Perfect Forward Secrecy and Allowing Insecure HTTP

Result : PASS

---

================================================================================

Configuring TLS exceptions with PFS disabled for ***

---

TLSv1.3 with PFS disabled

2019-06-10 14:05:27.286 nscurl[96230:2204640] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9858)

Result : FAIL

---

TLSv1.2 with PFS disabled

Result : PASS

---

TLSv1.1 with PFS disabled

Result : PASS

---

TLSv1.0 with PFS disabled

Result : PASS

---

================================================================================

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for ***

---

TLSv1.3 with PFS disabled and insecure HTTP allowed

2019-06-10 14:05:43.052 nscurl[96230:2204700] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9858)

Result : FAIL

---

TLSv1.2 with PFS disabled and insecure HTTP allowed

Result : PASS

---

TLSv1.1 with PFS disabled and insecure HTTP allowed

Result : PASS

---

TLSv1.0 with PFS disabled and insecure HTTP allowed

Result : PASS

---

================================================================================

Thank you.