0

I'm getting an error when calling an HTTPS service from XCode using Swift and I don't understand why. The URLs I'm using are HTTPS URLs and the service calls work fine but I have to have the setting "Allow Arbitrary Loads" set to YES in order for the service calls to work. If I don't have that setting on then the service calls fail with the following:

2018-10-31 09:56:57.362568+0200 APPNAME[1691:69141] [BoringSSL] boringssl_context_alert_callback_handler(3747) [C1.1:2][0x7fcb6171e660] Alert level: fatal, description: protocol version 2018-10-31 09:56:57.362750+0200 APPNAME[1691:69141] [BoringSSL] boringssl_context_error_print(3699) boringssl ctx 0x600000a87ea0: 140511489945352:error:100000f0:SSL routines:OPENSSL_internal:UNSUPPORTED_PROTOCOL:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-109.202.1/ssl/handshake_client.cc:569: 2018-10-31 09:56:57.363026+0200 APPNAME[1691:69141] [BoringSSL] boringssl_context_get_error_code(3540) [C1.1:2][0x7fcb6171e660] SSL_AD_PROTOCOL_VERSION 2018-10-31 09:56:57.369545+0200 APPNAME[1691:69141] TIC TCP Conn Failed [1:0x600003d95c80]: 3:-9836 Err(-9836) 2018-10-31 09:56:57.375719+0200 APPNAME[1691:69141] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9836) 2018-10-31 09:56:57.375903+0200 APPNAME[1691:69141] Task .<1> HTTP load failed (error code: -1200 [3:-9836]) 2018-10-31 09:56:57.376267+0200 APPNAME[1691:69140] Task .<1> finished with error - code: -1200 error calling GET on /todos/1 Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9836, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x6000006c8030 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9836, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9836}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://MYURL, NSErrorFailingURLStringKey=https:/MYURL, _kCFStreamErrorDomainKey=3}

I don't understand why I get this error because the URLs work and connect securely without the setting on, so why do I get this when the setting is off and I'm still using HTTPS?

Any assistance would be greatly appreciated.

macmatthew
  • 302
  • 2
  • 9
  • can you provide the url your trying to load ?? – MhmdRizk Oct 31 '18 at 10:49
  • It's hosted locally on our domain with a trusted certificate: https:/domain:port/token - the first call is to get the token. As I said it works fine with the setting on but if the setting isn't there I get the error above. – macmatthew Oct 31 '18 at 10:51
  • Try `nscurl --atsdiagnostics --verbose YOUR_URL` to see which parameters ATS thinks you need to set. – Gereon Dec 24 '18 at 15:16
  • I had the same `_kCFStreamErrorCodeKey=-9836`, when connecting to `https://www.yahoo.com`. It had nothing to do with Apple's `ATS`. I was on a corporate network that didn't allow access to `https://www.yahoo.com` via my iOS simulator ( as the simulator inherited all the restrictions of my locked down machine ). Hope that helps someone. – rustyMagnet Jan 14 '20 at 12:09

1 Answers1

2

IOS will block unsecured connections that are not conformed to ATS requirements. It can be one of the following:

  • TLS protocol version is not 1.2:

ATS employs the Transport Layer Security (TLS) protocol version 1.2 (RFC 5246).

  • A strong connection cipher

The connection must use either the AES-128 or AES-256 symmetric cipher. The negotiated TLS connection cipher suite must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, and must be one of the following: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • A strong encryption algorithm of the certificate:

The leaf server certificate must be signed with one of the following types of keys: Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length, sometimes called a “fingerprint,” of at least 256 (that is, SHA-256 or greater). The requirements listed in this section are current as of this document’s publication date, with stricter requirements possible in the future. Changes to these requirements will not break app binary compatibility.

  • Of course : HTTPS:

With ATS enabled, HTTP connections must use HTTPS (RFC 2818). Attempts to connect using insecure HTTP fail.

https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html

EdiZ
  • 441
  • 4
  • 13
  • Err, how can one possibly account for this stuff? I, for example, is running self-hosted stuff, and for example, fingerprint is sha-1. So ios cant connect to that? Completely bonkers. – Ted Mar 19 '19 at 11:45
  • @Ted For that you can disable the ATS for your specific host https://stackoverflow.com/questions/30731785/how-do-i-load-an-http-url-with-app-transport-security-enabled-in-ios-9 – EdiZ Mar 28 '19 at 08:19