16

I have an app that works fine in ios 9 and 10.0 (I have add the App Transport Security blocking with “Allow Arbitrary Loads = YES” to my info.plist. But after upgrade to 10.1 and Xcode 8.1 there seem to be a problem with the App Transport Security. I can not connect to server. My server only support up to TLS 1.1

Showing this error 

Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.

May be IOS 10.1 ignore the .plist info. (Note that on 9.3 till 10.0 it is still working fine).

My .plist file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleDevelopmentRegion</key>
    <string>en</string>
    <key>CFBundleDisplayName</key>
    <string>SingPost</string>
    <key>CFBundleExecutable</key>
    <string>${EXECUTABLE_NAME}</string>
    <key>CFBundleIdentifier</key>
    <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
    <string>${PRODUCT_NAME}</string>
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleShortVersionString</key>
    <string>1.8.7</string>
    <key>CFBundleSignature</key>
    <string>????</string>
    <key>CFBundleURLTypes</key>
    <array>
        <dict>
            <key>CFBundleURLSchemes</key>
            <array>
                <string>fb1540614276180366</string>
            </array>
            <key>Item 0</key>
            <string>fb1540614276180366</string>
        </dict>
    </array>
    <key>CFBundleVersion</key>
    <string>1.8.7</string>
    <key>FacebookAppID</key>
    <string>1540614276180366</string>
    <key>FacebookDisplayName</key>
    <string>Singpost</string>
    <key>LSRequiresIPhoneOS</key>
    <true/>
    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/>
        <key>NSAllowsArbitraryLoadsInWebContent</key>
        <true/>
        <key>NSExceptionDomains</key>
        <dict>
            <key>prdesb1.singpost.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
                <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
            <key>mobile.singpost.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
                <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
        </dict>
    </dict>
    <key>NSCameraUsageDescription</key>
    <string>$(PRODUCT_NAME) camera use</string>
    <key>NSLocationAlwaysUsageDescription</key>
    <string>    </string>
    <key>NSLocationWhenInUseUsageDescription</key>
    <string>    </string>
    <key>NSPhotoLibraryUsageDescription</key>
    <string>$(PRODUCT_NAME) uses photos</string>
    <key>UIAppFonts</key>
    <array>
        <string>OpenSans-Regular.ttf</string>
        <string>OpenSans-Bold.ttf</string>
        <string>OpenSans-Semibold.ttf</string>
        <string>OpenSans-Light.ttf</string>
        <string>OpenSans-LightItalic.ttf</string>
    </array>
    <key>UIBackgroundModes</key>
    <array>
        <string>remote-notification</string>
    </array>
    <key>UIRequiredDeviceCapabilities</key>
    <array>
        <string>armv7</string>
    </array>
    <key>UIRequiresFullScreen</key>
    <true/>
    <key>UISupportedInterfaceOrientations</key>
    <array>
        <string>UIInterfaceOrientationPortrait</string>
    </array>
    <key>UISupportedInterfaceOrientations~ipad</key>
    <array>
        <string>UIInterfaceOrientationPortrait</string>
    </array>
</dict>
</plist>

I fix my add exeptiondomain but have this error in console

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) –

Edit from suggestion. I change my plist to

<key>mobile.singpost.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
                <key>NSExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
            <key>mysam.sg</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
                <key>NSExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
halfer
  • 19,824
  • 17
  • 99
  • 186
Lê Khánh Vinh
  • 2,591
  • 5
  • 31
  • 77
  • What version of Xcode were you building with before 8.1? Can you show your Info.plist settings? – wottle Nov 10 '16 at 03:02
  • I'm using Xcode 8. I'm fixing it by adding Exeption Domains. but in the console I get this error: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) – Lê Khánh Vinh Nov 10 '16 at 03:09
  • I'm using Xcode 8.1. ios 10.1. I'm fixing it by adding Exeption Domains. but in the console I get this error: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) – Lê Khánh Vinh Nov 10 '16 at 03:23
  • Which URL is is specifically compaining about? Use the nscurl command to check what about the url is failing the SSL handshake: `nscurl --ats-diagnostics https://www.domain.com`. My guess is that is is less about not satisfying the ATS requirements, but more about a certificate trust issue. Disabling ATS does not allow you to connect to secure web servers where the cert has problems. Disabling ATS will, however, allow you to connect to servers using SSL that does not use the latest versions / standards / key strength. It doesn't answer how this was able to work before though. – wottle Nov 10 '16 at 19:16
  • Also, are you accessing these resources in a UIWebView? Through an NSUrlConnection? – wottle Nov 10 '16 at 19:17
  • Hi this is my cur log: https://docs.google.com/document/d/16APWQippnSNr0_BWqDQd36kzRA6IpbsLSHKIt0xgEFY/edit?usp=sharing – Lê Khánh Vinh Nov 10 '16 at 19:22
  • I'm connect using URLSession (AFNetworking 3) – Lê Khánh Vinh Nov 10 '16 at 19:23
  • Your exception for that domain seems correct. Are you sure that is the server you are receiving the error for? – wottle Nov 10 '16 at 19:45
  • Hi Yes, we use that server used. I constantly get this error NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) – – Lê Khánh Vinh Nov 10 '16 at 19:48
  • And you are sure the exact same build is running on the iOS 10.0 devices as the 10.1? There is something else at play here because ATS exceptions are still working properly on our 10.1 devices. We have different exceptions, though. I would open a radar with Apple. – wottle Nov 10 '16 at 21:55

1 Answers1

20

By specifying NSAllowsArbitraryLoadsInWebContent, you are overriding NSAllowsArbitraryLoads on iOS 10.

In iOS 10 and later, and macOS 10.12 and later, the value of [the NSAllowsArbitraryLoads] key is ignored if any of the following keys are present in your app’s Info.plist file:

  • NSAllowsArbitraryLoadsForMedia
  • NSAllowsArbitraryLoadsInWebContent
  • NSAllowsLocalNetworking

Source: App Transport Security dictionary primary keys (Apple)

Additionally, the NSExceptionDomain dictionaries you have provided don't seem to match the current documented format. Specifically, the keys don't match:

  • NSTemporaryExceptionAllowsInsecureHTTPLoads should be NSExceptionAllowsInsecureHTTPLoads

  • NSTemporaryExceptionMinimumTLSVersion should be NSExceptionMinimumTLSVersion

  • NSTemporaryExceptionRequiresForwardSecrecy should be NSExceptionRequiresForwardSecrecy

Community
  • 1
  • 1
breakingobstacles
  • 2,815
  • 27
  • 24
  • Thanks a lot. I change my .plist to edit question. Should that be ok or we have to incude other plist for server connection? (My server only support TLS 1.1) – Lê Khánh Vinh Nov 16 '16 at 04:21