0

My app was working fine when I was using http://domain.com. But today, when I changed http:// to https://, I am facing this issue: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813). I have also made changes in .plist. Here is my .plist code: 

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/>
        <key>NSExceptionDomains</key>
        <dict>
            <key>dev.domainName.in</key>
            <dict>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.2</string>
            </dict>
        </dict>
    </dict>

But still I am facing this issue. Please help me out. What am I missing?

Sudha Tiwari
  • 2,499
  • 26
  • 50
  • Can you call the same URL using the device's browser? – Ruchira Randana Mar 14 '16 at 10:13
  • It is giving me an error: Cannot verify server Identity – Sudha Tiwari Mar 14 '16 at 10:18
  • Are you opening this url in a web view or using it to make a network api call using NSURLSession or NSURLConnection classes? Do you mind sharing the full url too if its ok with you? It seems like you need to handle the authentication challenges since the error you are seeing is because of an unidentified certificate. In such cases you have to implement certain delegate methods that are called during the connection and handle them accordingly. – Pradeep K Mar 14 '16 at 10:35
  • I am using NSURLConnection classes – Sudha Tiwari Mar 14 '16 at 10:38

2 Answers2

0

From iOS 9, Apple has enforced ATS. Here is the documentation regarding that. Try loosening the restrictions and see whether it works.

Does it work on devices running OS versions prior to iOS 9?

Ruchira Randana
  • 4,021
  • 1
  • 27
  • 24
  • I have read this documentation and used code that provided by them. But still it is giving me an error. – Sudha Tiwari Mar 14 '16 at 10:45
  • Try using this site to check whether there's any issues with your certificates. https://www.sslshopper.com/ssl-checker.html – Ruchira Randana Mar 14 '16 at 10:58
  • The certificate is self-signed. Users will receive a warning when accessing this site unless the certificate is manually added as a trusted certificate to their web browser. You can fix this error by buying a trusted SSL certificate – Sudha Tiwari Mar 14 '16 at 11:04
  • That's the problem. You must be using a self signed certificate. You should purchase a SSL certificate from a certificate authority. You could also add it to the device's root certificate list. However, then you'll have to manage distributing the certificates yourself. I'd recommend that you purchase a SSL certificate. – Ruchira Randana Mar 14 '16 at 12:17
  • How can I add it to the device's root certificate list? – Sudha Tiwari Mar 14 '16 at 12:21
0

Based on your comments that you are getting a invalid cert error and that you are using NSURLConnection your solution is to implement these delegate. See if this solves the problem.

- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge]; }

Note that you are essentially ignore the SSL error and allowing the connection to proceed. So if you are opening up the app for hacking. For testing you can use this but make sure that you install a proper certificate on the production environment.

But if you want to handle this correctly and warn the user in case the cert is not proper you can do this.

OSStatus err = noErr;
BOOL trusted = NO;
NSURLProtectionSpace *  protectionSpace = challenge.protectionSpace;
SecTrustRef serverTrustRef = protectionSpace.serverTrust;
SecTrustResultType trustResult;

//check if the server trust that we got from the server can be trusted by default
err = SecTrustEvaluate(serverTrustRef, &trustResult);
trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));

if (trusted) //if the site is trusted then continue with that trust
{
    [challenge.sender useCredential:[NSURLCredential credentialForTrust:protectionSpace.serverTrust]
          forAuthenticationChallenge:challenge];
}
else //if not then warn the user about this and let the user make a decision
{
    //warn the user about the cert problem using a dialog with options to continue or ignore.
   //Continue alert action call : [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]
          forAuthenticationChallenge:challenge];
   //Dont continue action: [challenge.sender continueWithoutCredentialForAuthenticationChallenge:_challenge]; 
   //OR call: [sender cancelAuthenticationChallenge:challenge];
}

}

Pradeep K
  • 3,671
  • 1
  • 11
  • 15