21

I installed Xcode 7 and tried running my app under iOS 9. I'm getting the infamous error: Connection failed! Error - -1200 An SSL error has occurred and a secure connection to the server cannot be made. The thing is my server DOES support TLSv1.2 and I'm using NSURLSession.

What could be the problem then?

sudo make install
  • 5,629
  • 3
  • 36
  • 48
YogevSitton
  • 10,068
  • 11
  • 62
  • 95

5 Answers5

32

Apple has released the full requirements list for the App Transport Security.

Turned out that we were working with TLS v1.2 but were missing some of the other requirements.

Here's the full check list:

  1. TLS requires at least version 1.2.
  2. Connection ciphers are limited to those that provide forward secrecy (see below for the list of ciphers.)
  3. The service requires a certificate using at least a SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key.
  4. Invalid certificates result in a hard failure and no connection.

The accepted ciphers are:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Carmen
  • 6,177
  • 1
  • 35
  • 40
YogevSitton
  • 10,068
  • 11
  • 62
  • 95
  • 1
    How do we check those items? The Apple Technote does not tell much more: https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/ – Gwendal Roué Sep 14 '15 at 10:40
  • 2
    To Test go to [SSL Labs](https://www.ssllabs.com/ssltest/index.html) and put in your server url. It will test your certs and grade your setup. – RobDigital Sep 22 '15 at 20:30
  • You can include another set of ciphers as I had to because paypal doesn't support those ones, http://stackoverflow.com/questions/32869268/ios9-paypal-sdk-an-ssl-error-has-occurred/32869364#32869364 – Flexicoder Sep 30 '15 at 15:02
  • We solved it by renewing our ssl certificate to use SHA2 and enabling TLS v1.2 – Brabbeldas Oct 20 '15 at 17:51
  • 1
    How about internal testing when you want to connect the app to a server on the internal network? – Brabbeldas Oct 20 '15 at 17:52
  • Amazon's cloudfront.net appears to still be using SHA-1 with connections using AES_128_GCM - i.e. inaccessible for iOS9 apps. These certs expire 25/12/15, one day before even Microsoft has deprecated SHA-1. – Peter Oct 22 '15 at 11:04
  • We had a client reporting this same error code. In their case a content filter was causing the insecure connection and adding an exception for the IPs/URLs fixed the problem. – DannyC Apr 05 '16 at 01:18
  • @YogevSitton, my certificate on the web server is not supporting forward securecy, but the web server is TLS 1.2, can my iOS client still connect to the web server without ATS? I'm using HTTPS only. – JIANG Mar 17 '17 at 20:41
  • I had the ATS turned off in my iOS client, I could connect to the web server with TLS 1.2, however during the authorization process, the ticket generated on the server can't be recognized by the same web server after I send it back. I noticed that the web server generated much shorter ticket for iOS client call vs the ticket for the Windows call (this is working). I'm lost – JIANG Mar 17 '17 at 20:43
  • @YogevSitton, If you have a web server that is TLS 1.2 only, does it mean you have to use ATS on the iOS client side? – JIANG Mar 17 '17 at 20:54
12

In iOS9, Apple added new feature called App Transport Security(ATS).

ATS enforces best practices during network calls, including the use of HTTPS.

Apple Pre-release documentation:

ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.

Add Below key in your info.plist & then see.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Even you can add specific exception, 

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <false/>
            <key>NSExceptionAllowInsecureHTTPSLoads</key>
            <false/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowInsecureHTTPSLoads</key>
            <false/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSRequiresCertificateTransparency</key>
            <false/>
        </dict>

        ...

    </dict>
</dict>
Nilesh Patel
  • 6,318
  • 1
  • 26
  • 40
5

Check out this doc that apple provided.

I had a similar issue at runtime on iOS 9 and what I did to fix it was added the NSAppTransportSecurity Dictionary to my info.plist file with the NSAllowsArbitraryLoads Bool set to true and after cleaning and rebuilding it worked.

I hope this helps!

sudo make install
  • 5,629
  • 3
  • 36
  • 48
user5082751
  • 77
  • 1
  • My server is using TLSv1.2 and I'm using NSUrlSession - so it should work for me automatically no? I don't want to disable TLS in my app. – YogevSitton Jul 06 '15 at 04:49
  • May be as temp solution – HotJard Sep 02 '15 at 14:31
  • I think this is some sort of workaround to be honest, there's no way I can ship with this configuration so I'm waiting to see if any new documentation comes out. If any of you use Charles Proxy they have an article about this, and I know a bunch of folks have written about this workaround as well. – user5082751 Sep 02 '15 at 14:54
  • 1
    What you did is disabled the new ssl check alltogether. Not recommended. – Maciej Swic Sep 10 '15 at 12:35
  • @MaciejSwic - What he did was return to the status-quo that existed in every version of iOS prior to iOS 9. Perhaps not recommended, but entirely valid as a solution given Apple's propensity for dropping breaking-changes on the development community with little to no warning. – aroth Sep 22 '15 at 05:31
  • 1
    @aroth Little to no warning? WWDC was months ago. Its not hard to configure your SSL properly. – Maciej Swic Sep 22 '15 at 08:17
  • Setting NSAllowsArbitraryLoads to true is not a solution! – ingh.am Oct 01 '15 at 12:08
3

For me proxy was blocking try to use internet from different source will resolve issue. Wifi, Lan, etc.

Nagarjun
  • 6,557
  • 5
  • 33
  • 51
0

With iOS9, I had a same issue: while SSLlab result showed no issues with protocols / ciphers on my server, a connection to one specific URL failed on an iPad running iOS/9.3.5 with an SSL-Error:

Connection cannot be established.

My stupid mistake was, that I had a redirect, i.e. in NGINX (and similar in Apache):

rewrite /calendar     $scheme://www.example.org/resources/calendar;

If the user accessed /calender by setting:

https://example.org/calendar

the server redirected to another domain breaking the establishment of the SSL-connection.

Setting the redirect as follows fixed it:

rewrite /calendar     $scheme://$server_name/resources/calendar;
Rainer Keller
  • 355
  • 2
  • 9