Develop Reference

SSL error when trying to load TLSv1.2 site in an iframe inside UIWebView

I am displaying a web site in my iOS app (user's profile) that contains an option to purchase some services. The purchase is done inside the UIWebView by opening a third party payment page inside an iframe.
When trying to load this payment page, an SSL error is sent to webView:didFailLoadWithError: delegate method.
The SSL error:
Error Domain=NSURLErrorDomain Code=-1200 \"An SSL error has occurred and a secure connection to the server cannot be made.\" UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x610000255c90 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 \"An SSL error has occurred and a secure connection to the server cannot be made.\" UserInfo={NSErrorFailingURLStringKey=https://SOME-URL, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://SOME-URL, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://SOME-URL, NSErrorFailingURLStringKey=https://SOME-URL, _kCFStreamErrorDomainKey=3}
I have tested this URL in a browser and I see that it uses TLSv1.2 so I don't understand what is the problem.
The same iframe works as expected in iOS Safari and in an Android app...
When I disable ATS (NSAppTransportSecurity) in the Info.plist then the payment page is displayed, but I'm afraid that Apple won't allow it is the AppStore (and I don't want to do it - it's a payment page and it should be secure).
This is the payment URL:
https://cgmpi.creditguard.co.il/CGMPI_Server/PerformTransaction?txId=a51270b0-9cb5-43aa-83cc-1cb0abe08691

I would put an exception regarding the webviews, the domain and the TLS version in the Info.plist to make sure that the ATS layer won't block any connection.
Something like this:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>creditguard.co.il</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
</dict>
</dict>
</dict>

iOS 10, Swift 3 API call SSL error

I am working on a Mobile app built in cordova which uses REST API. The App works well in itself, but I have a Share Extension built with xcode for which I get this error for an API call.
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fe888624290 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://www.example.com/, NSErrorFailingURLStringKey=https://www.example.com/, _kCFStreamErrorDomainKey=3}
I have this in the Info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>www.example.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSRequiresCertificateTransparency</key>
<false/>
</dict>
</dict>
</dict>

Your server SSL is probably not secure or correctly installed.
You should check if it is correctly installed with some of the available webservices out there or something.
Example
or this one
It can also be that your SSL is self-signed and simply not trusted by iOS as trusted.

First, test your server with :
/usr/bin/nscurl --ats-diagnostics www.mydomain.com
You said your main app is well-working, so the issue may be in your extension plist.
Did you add the same ATS entry in your extension plist ?

iOS App Transport Security not accepting TLSv1.2 connection and plist exceptions not making any difference

I've got an iOS app which uses SSL/HTTPS to communicate with a server. The server is providing a certificate that works over TLSv1.2 (the main requirement of App Transport Security). An example URL that demonstrates this (where the TLSv1.2 can be verified by checking the certificate) is https://api.branon.co.uk/checkOnline.
However, the app is throwing errors relating to the App Transport Layer - errors that, when Googled - imply it's because the server isn't working over TLSv1.2. An example error is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
and:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
I even added a bunch of exceptions to the plist file, such as:
<dict>
<key>NSExceptionDomains</key>
<dict>
<key><my top level domain - the app uses a subdomain - allowed below></key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
</plist>
but this doesn't change the result.
The certificate used is a free certificate issued from StartCom. My nginx config is below (just for reference).
server {
listen [::]:443 ssl;
listen 443 ssl;
ssl on;
ssl_certificate /root/ssl/<domain>.crt;
ssl_certificate_key /root/ssl/server.key;
server_name api.<domain>;
access_log /var/log/nginx/api.access.log;
error_log /var/log/nginx/api.error.log;
location ~ ^/([a-zA-Z]+)$ {
proxy_pass http://127.0.0.1:5000/$1;
}
}
Does anybody have any idea why this is happening?
Thanks!
Update:
Following the results of #Paulw11's suggested test (below) running nscurl, I decided just to try disabling App Transport Security entirely. I changed the App Transport Security dictionary in my plist to the below:
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
and am still getting the same error! So if it's not App Transport Security, what could be causing this? That error I'm getting again is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

The server does not provide a complete certificate chain in its SSL/TLS handshake. While some clients can handle this and build out a trust chain, others cannot.
You can find the missing intermediate certificate via https://whatsmychaincert.com/?api.branon.co.uk and serve it along with your site's certificate in your SSL configuration in nginx.
Do remember to remove any ATS exceptions that you may have put in place!

The format of the keys I use to allow older versions of TLS (for amazonaws, for example) looks like this:
<key>NSIncludesSubdomains</key>
<string>NO</string>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<string>NO</string>
The rest of the structure looks the same. At one point, we had this at the root level.
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>

iOS9 NSAppTransportSecurity with s3.amazon.com

I'm testing an app in iOS9 and getting SSL errors with ATS loading images from amazon.com. All my stuff is being delivered over https but I'm still having issues.
I've added the correct ATS keys (worked on another app).
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>amazonaws.com</key>
<dict>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
I've been all over the forums, adc, and SO and I'm not having any luck.
I've tried removing ATS entirely, and I still get the same error.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Error:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey={type = immutable, count = 3, values = (
0 :
1 :
2 :
)}, NSUnderlyingError=0x7ffe70e2c690 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, kCFStreamPropertySSLPeerCertificates={type = immutable, count = 3, values = (
0 :
1 :
2 :
)}, _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, _kCFStreamErrorCodeKey=-9802}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSErrorFailingURLStringKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSErrorClientCertificateStateKey=0}
Static files: AWS Amazon
Host: Heroku
Backend: Django
APIs: Django Rest Framework
I've tried every configuration I could find on ATS, cleaned/reset/rebuilt, modified the Django requests (originally they included querystring authentication), etc. I'm stumped on this and blocked.

After I did a substring replace on https links -- I got the messages saying ATS was blocking them. I knew I had the correct keys in the Info.plist - so I figured it had to be another Info.plist somewhere.
It turns out that the there was an Info.plist in the resources but it wasn't doing anything. We had to add the ATS keys to the Info tab on the Target panel. Not 100% sure what the difference is on these two as I've always edited the Info.plist in the past.

I had to add amazonaws.com to Info.plist like you did and to user the SDWebImageAllowInvalidSSLCertificates as an option for the sd_setImageWithURL: method to get it working.

NSURLSession/NSURLConnection HTTP load failed wildcard certificate ios8/9

I'm trying to call a public api with a valid Wildcar SSL certificate (bought) but the connection fail with error:
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “api.mydomain.com” which could put your confidential information at risk." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, NSErrorPeerCertificateChainKey={type = immutable, count = 1, values = (
0 :
The wildcard certificate cover allsubdomains : *.mydomain.com
The host that i'm trying to connect is : api.mydomain.com
I tryed to add exception to App Transport security but not work
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>mydomain.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
How can fix the problem?