Anyone got NSURLConnection working on iOS 9 without exceptions?

Question

I am trying to run my app on iOS 9 -- Xcode 7 beta 5. Although my URLs are https, NSURL connection is still throwing an error:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

I am trying to avoid using an exception to get this working. My server supports the required protocols: https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html

Thanks...

UPDATE: the release notes indicate that they have dropped default support of DHE_RSA ciphers:

"DHE_RSA cipher suites are now disabled by default in Secure Transport for TLS clients. This may cause failure to connect to TLS servers that only support DHE_RSA cipher suites. Apps that explicitly enable cipher suites using SSLSetEnabledCiphers are not affected and will still use DHE_RSA cipher suites if explicitly enabled."

These are the ciphers supported by my server. See the full list here: https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html

So I guess I need to use SSLSetEnabledCiphers for every NSURLConnection, or upgrade my server to support the DHE_ECDSA ciphers. Or use the exception mechanism for now.

Anything I've missed? And anyone got sample code for using SSLSetEnabledCiphers?

Thanks.

http://stackoverflow.com/questions/30720813/cfnetwork-sslhandshake-failed-ios-9 — lukeswitz, Aug 16 '15 at 00:53
Yes, that has the workarounds. I'm trying to adopt the TLS protocol and not use the exception codes in plist. — Richard, Aug 16 '15 at 00:57
Still no good answer on that, I had an app pass for the store with this implemented last week though. — lukeswitz, Aug 16 '15 at 01:11

score 0 · Accepted Answer · answered Aug 16 '15 at 03:29

Here's the deal. The innocuous language about DHE_RSA cipher suites not being supported by default is a pretty big change by Apple in beta 5. A lot of servers out there don't support ECDHE_ECDSA ciphers by default. In order to support those ciphers on my server, it looks like I will have to upgrade something or several somethings. Or even recompile something. Ack.

And I assumed that I would just have to ensure all URLs were HTTPS!

Specifically I was able to support HTTPS-only links to my server by using the "NSExceptionRequiresForwardSecrecy = NO" key in info.plist. Also not forgetting the "NSIncludesSubdomains = YES" key if necessary.

Useful background, especially if Diffie-Helmen Exchange, Elliptical Curve and Forward Secrecy are not familiar to you:

http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html

http://blog.lowsnr.net/2014/10/26/configuring-apache-2-2-ssltls-for-forward-secrecy/

Further research, thanks to hynek.me, indicates that to support ECDHE ciphers you either need Apache 2.4 or Apache 2.2.26. Not sure how common those versions are. http://archive.apache.org/dist/httpd/CHANGES_2.2.26 — Richard, Aug 17 '15 at 18:10
It sounds like it's too soon for them to do this, which will just make everybody turn it back on instead of update their server... — Glenn Maynard, Aug 18 '15 at 21:18
Fortunately, I have good company: Facebook SDK isn't supporting Forward Secrecy on their servers out of the gate: https://developers.facebook.com/docs/ios/ios9 — Richard, Aug 22 '15 at 00:47

Anyone got NSURLConnection working on iOS 9 without exceptions?

1 Answers1