I have iOS 10 TSL issue ("Security Error: -9801"). How to fix?

Question

I have App which connects to SSL SOAP service. For iOS 9.3.5 the App works fine. From iOS 10 I have error with code -9801. I suppose this is connected to Apple ATS. The site certificate is configured for TLS 1.0 (but I can not manage certificate configuration).

How can I fix this? I suppose I have to add it as an exception in .plist file.

I also made check with www.ssllabs.com and for section Apple ATS 9 / iOS 9 R it gives error:

Protocol or cipher suite mismatch

but on iOS 9 it works.

EDIT:

I add the domain to ATS exceptions (in info.plist) but the error persists

There is no such thing as "certificate is configured for TLS 1.0" . The certificate is independent from the TLS version. More help might maybe done if you don't just link to ssllabs in general but to the actual analysis for the server in question, because then one would say how it is configured and what might be the problem. — Steffen Ullrich, Sep 17 '16 at 10:12
10x for remark @SteffenUllrich. May be I have to say that the certificate minimum version is TSL 1.0, I am not expert. For the configuration you are right - I will add analysis. — new2ios, Sep 17 '16 at 10:22

Ketan Parmar · Answer 1 · 2016-09-17T11:18:22.323

NSAppTransportSecurity NSAllowsArbitraryLoads

add this key - values in your info.plist, this means it will allow all kind of load. If you have specific domain then you should add that specific domain in info.plist.

Update :

If you need secure connection then you should manage your info.plist like,

     <key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
<dict>
    <key>yourdomain.com</key>
    <dict>
        <!--Include to allow subdomains-->
        <key>NSIncludesSubdomains</key>
        <true/>
        <!--Include to allow HTTP requests-->
        <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
        <true/>
        <!--Include to specify minimum TLS version-->
        <key>NSTemporaryExceptionMinimumTLSVersion</key>
        <string>TLSv1.1</string>
    </dict>
</dict>

or you should use webservice which have ssl integrated!

I think I already described that :), @Lion. I will not allow `NSAllowsArbitraryLoads`, because I need secure connection. — new2ios, Sep 17 '16 at 10:52

score 1 · Answer 2 · answered Oct 03 '16 at 11:38

1

Use ATS diagnostics mode in nscurl to get suggested content of ATS dictionary:

nscurl --ats-diagnostics https://yourdomain.com --verbose

answered Oct 03 '16 at 11:38

Sergiy Salyuk

325
2
7

score 0 · Answer 3 · edited May 23 '17 at 12:16

0

I found temporary workaround, but I will continue the investigation of TSL certificate configuration.

I added the URL for our service to ATS exceptions (more info here). Then I have to find out that ATS configuration is changed in iOS 10 and exception must be written as TSLv1.0 instead of 1.0 (I used exception example for other site and inside it was 1.0) - 10x to this answer.

edited May 23 '17 at 12:16

Community

1
1

answered Sep 17 '16 at 10:35

new2ios

1,350
2
25
56

I have iOS 10 TSL issue ("Security Error: -9801"). How to fix?

3 Answers3

Linked