0

TL; DR:

I have an iOS app connecting to a webservice that does not meet the minimum requirements for the new ATS feature. I have modified my Info.plist to allow an exception so my app can still connect to the webservice. (NSURLSession/NSURLConnection HTTP load failed on iOS 9 ) This works correctly in development, however, the update I just pushed to the store still fails to hit the webservice. I don't know where the disconnect is happening or how to fix this.

===

First off, this is all happening in an emulator, and the same behavior when I deploy directly to my ipad in xcode:

I am trying to connect to a webservice over https in my iOS app. I am now getting this error everytime I try to connect to the webservice:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

It is my understanding that this is happening because the new ATS feature is not allowing the connection. I have confirmed this by applying the fix (NSURLSession/NSURLConnection HTTP load failed on iOS 9) to my Info.plist file:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>mydomain.com</key>
    <dict>
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
      <true/>
      <key>NSIncludesSubdomains</key>
      <true/>
      </dict>
  </dict>
</dict>

Once I put that in, it connects to the webservice without issue.

Apparantly, while my server meets the TLS 1.2 requirement, and cipher requirement, it does not meet the signature requirement (https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW35 )

However, I have made an update to my app and pushed to the app store, but the store version of my app is unable to connect to the web service. The very same code builds fine on my local machine and runs on my device when deployed to it from xcode, but the version in the store seems to be ignoring the .plist fix. How can I fix this? This makes no sense to me at all.

Community
  • 1
  • 1
chiliNUT
  • 18,989
  • 14
  • 66
  • 106

2 Answers2

0

Try this version of configurations for info.plist:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.example.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
        </dict>
    </dict>
</dict>

EDIT: try specifying NSExceptionRequiresForwardSecrecy to NO as well.

Soberman
  • 2,556
  • 1
  • 19
  • 22
  • Hi, this looks that same as what I posted except you have the TLSv1.1 exception in there. My server is using TLSv1.2, so I don't see why this would work any differently. In the simulator this works the same as my original settings. – chiliNUT Oct 07 '15 at 19:54
  • so, here is the issue, it works fine in the simulator with my current settings, so I don't see how modifying these settings slightly will address the major issue that it works in development but not in my store version. Also, I should not need the `requires forward secrecy exception` as I am using one of the accepted ciphers, specifically `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`. So again, that edit works, along with my original version, in the simulator – chiliNUT Oct 07 '15 at 20:03
  • Hm. Then I am clueless. – Soberman Oct 07 '15 at 21:02
0

Try add the following code to your info.plist

<key>NSAppTransportSecurity</key>  
     <dict>  
      <key>NSAllowsArbitraryLoads<key><true/>  
     </dict>

For more information see the link:apple forum

Casper Schobers
  • 339
  • 1
  • 7
  • this answer, like the other, does not offer any explanation of why it works in development, but not in the store version. I do not want to allow arbitrary loads, I only want one exception for the API for my webservice. – chiliNUT Oct 07 '15 at 20:10