App Transport Security blocks https

Question

kappe11 OP

Created Nov ’17

Replies 1

Boosts 0

Views 3.5k

Participants 2

Hi!

I've a problem with ATS.

I'm using XCode 9.1, my Development Target is 11.0.

I'm developing using react-native 0.49

My program is doing a fetch to a https resource which has a valid (google chrome) letsencrypt certificate.

The fetch only works, when NSAllowsArbitraryLoads is set to true, when set to false the fetch is blocked?

I've made the following settings within my info.plist:

<key>NSAppTransportSecurity</key>

<dict>

<key>NSAllowsArbitraryLoads</key>

<false/>

<key>NSExceptionDomains</key>

<dict>

<key>xxxx.no-ip.org</key>

<dict/>

<key>localhost</key>

<dict>

<key>NSExceptionAllowsInsecureHTTPLoads</key>

<true/>

</dict>

<key>meetbecky.com</key>

<dict>

<key>NSIncludesSubdomains</key>

<true/>

</dict> </dict> </dict>

I'm doing some tests using a temporary domain. This domain also has a valid letsencrypt certificate. In this case everything works fine.

The only difference I can see between both hosts is that the test domain is a single domain host, the production host is a multi domain host.

Both certificates are new (SHA-256 with RSA-Encrytion) and are accepted by all major Browsers (Chrome, Safari) without any difficulty!

Anybody a suggestion?

The Debug from the Simulator:

CFNetwork Diagnostics [1:1187] 12:38:08.258 {

Did Fail: (null)

Loader: <CFMutableURLRequest 0x6000003bed80 [0x1125f1960]> {url = https:/

Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802}

Best regards,

Harry

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’17

Your post wasn’t clear as to which site is causing the problem, so I’m assuming that it was

meetbecky.com

. Given that, a quick poke at that site with

TLSTool

reveals the problem:

$ TLSTool s_client -connect meetbecky.com:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.0
* cipher: RSA_WITH_AES_256_CBC_SHA
* trust result: unspecified
* certificate info:
*   0 + rsaEncryption 2048 sha256-with-rsa-signature 'meetbecky.com'
*   1 + rsaEncryption 2048 sha256-with-rsa-signature 'Let's Encrypt Authority X3'
*   2 + rsaEncryption 2048 sha1-with-rsa-signature 'DST Root CA X3'
^C

The server’s certificate is fine (as you’d expect with a Let’s Encrypt certificate) but there are TLS-level problems:

The server is negotiating TLS 1.0.
The server doesn’t support forward secrecy (note that the cypher suite,
```
RSA_WITH_AES_256_CBC_SHA
```
, does not include
```
ECDHE
```
)

The following ATS dictionary will get things working but I strongly recommend that you fix your server so that it complies with ATS’s best practice security requirements. Specifically, TLS 1.0 is 18 years old now, and ATS only wants you to use TLS 1.2, something that’s been around for almost a decade!

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>meetbecky.com</key>
        <dict>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.0</string>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <false/>
        </dict>
    </dict>
</dict>

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0