When loading a certain url in UIWebView in IOS 10.1 it is failing on
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made"
However the same webview loads fine in iOS 10.2
I can load the url in both 10.1 and 10.2 if I use NSAllowsArbitraryLoads = YES but only in 10.2 with NSAllowsArbitraryLoadsInWebContent = YES
I tested the URL with nscurl --ats-diagnostics and it passes all tests
I think that the issue may have something to do with an ip location validation within the webpage.
Are the differences between 10.1 and 10.2 in the handling of App Transport Security Settings? Are these documented?
---- Edit -----
I managed to resolve my issue by looking at the error in didFailLoadWithError. This told me exactly what the url was that was causing the failure. I added this url to my Exception Domains with NSExceptionRequiresForwardSecrecy=NO (determined using the ats diagnostics)
This fixed my problem but I still would like to understand the differences in the two versions 10.1 & 10.2.
Yes, earlier versions of iOS 10 did still enforce the forward secrecy requirement of app transport security in web views even with the NSAllowsArbitraryLoadsInWebContent key. That was a bug, that was fixed by Apple. The problem is that earlier versions of iOS shipped with the bug so you must be able to handle it, which isn't always possible if you don't know all the possible URLs that your Web you could navigate to. This may be part of the reason that Apple has extended their deadline for enabling app transport security and all apps submitted to the App Store.
Related
I am upgrading a project from Swift 3 to Swift 5. The project uses Realm for an internal database, but every time I launch the app in the simulator I get the following errors in the console:
ATS failed system trust
Connection 2: system TLS Trust evaluation failed(-9802)
I'm pretty sure this is a Realm issue as the app doesn't try to make any other external connections. When running on a older version of Xcode(8), it all works fine without errors. I'm currently testing on Xcode 10.3 and 11 (beta) and using Realm 3.17.3.
Any help would be appreciated.
This error is only produced in the simulator. When running on an actual device no errors get logged
When running my app on iOS 11 beta 5 built with Xcode 9 I see this error from several of our network calls.
"NSURLError * domain: #“NSURLErrorDomain” - code:
18446744073709550617"
I've never come across this error before and we haven't made any change to the app currently. For networking, we are using AFNetworking v2.5
So it turns out it was ssl related. Eventually what I did was add an exception for the domain in info.plist and was able to get a reasonable error that said there was an ssl issue. Investigating that showed our cert was weakly signed. We replaced it which resolved the issue.
I have an existing app in the App Store that supports both iOS 7 and 8 (though I'll be dropping iOS 7 support shortly).
My latest version of the app has brought both IADs and AdMobs (where AdMobs act as a failover from IADS). With the upcoming launch of iOS 9, and the recent craze of Google requiring the removal of SSL (http://googleadsdeveloper.blogspot.ch/2015/08/handling-app-transport-security-in-ios-9.html
HTTPS request in iOS 9 : NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)), from a beginner's point of view, I'd like to ask about some warnings I'm getting with my app running in Xcode 7 beta 5.
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
There's this link that I came across as well http://timekl.com/blog/2015/08/21/shipping-an-app-with-app-transport-security/?utm_campaign=iOS%2BDev%2BWeekly&utm_medium=email&utm_source=iOS_Dev_Weekly_Issue_213
So, what exactly do I need to do to remove this warning from the console when running my app on iOS 9?
I've come across one list that talks about disabling botched in Xcode, but firstly I don't understand what disabling that does, but also, is that required for this? What does ENABLE_BITCODE do in xcode 7?
Any thoughts on this would be really appreciated.
Read this App Transport Security Technote
Chances are, you'll have to set the NSAllowsArbitraryLoads to YES globally for now, because you aren't in control over what servers your ads come from.
Add below syntax to your app's info.plist,It's work for me.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
because your are calling a server which has self-signed certificate. you have to by pass it.
My code for ssl handshake fails since I updated xcode to 6.4 (and simulator to ios 8.4). The error is: CFNetwork SSLHandshake failed (-9850)
The same code is performing ssl handshake successfully on ios 8.3 simulator (i've also tried ios 8.3 simulator from xcode 6.4 and it handshakes well).
Here's the piece of code that cofigures and starts handshake. I'm using swift.
self.socket.startTLS([kCFStreamSSLLevel:kCFStreamSocketSecurityLevelTLSv1,
kCFStreamSSLValidatesCertificateChain:kCFBooleanFalse])
I was trying to figure this out whole day and I couldn't even find out what the error code -9850 means. It isn't listed with all the other codes in SecureTransport.h file.
Update1:
I found out that apple introduced app transport security which means that you can declare domains you want to establish secure connection to. Anyway I tried with ATS but without any success. -9850 error is still making problems.
Update 2 - Solution
As Michal and Steven suggested in their answers I started to suspect that the main issue is on the server side which ended up to be true.
I talked with guy who implemented the server and all problems were gone after he generated new ssl certificates of length 2048. Before that they were 512. With new certificates, code on my side works perfectly fine.
-9850 appears in the SecureTransport.h header buried inside the iOS 9 SDK:
errSSLWeakPeerEphemeralDHKey = -9850, /* weak ephemeral dh key */
It sounds like Michal is on the right track. A more general search for this problem led me to http://www.chromium.org/administrators/err_ssl_weak_server_ephemeral_dh_key:
As of Chrome 45, this error message is triggered if the SSL/TLS handshake attempts to use a public key, smaller than 1024 bits, for ephemeral Diffie-Hellman key agreement.
I'm not saying that iOS 9 imposes exactly the same requirements as Chrome, but I'd start looking at the server configuration and if you can increase the key size it uses for the SSL handshake.
I believe it has something to do with coreTLS:
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH) keys, as used in export-strength ephemeral DH cipher suites. This issue, also known as Logjam, allowed an attacker with a privileged network position to downgrade security to 512-bit DH if the server supported an export-strength ephemeral DH cipher suite. The issue was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits.
From what I can tell from your code, I guess you're using GCDAsyncSocket. It has been updated 10 months ago, so it definitely does not reflect this issue.
When I get CFNetwork SSLHandshake failed -(*) its because my device is connected to the network but not the internet.
I'm using the same Xcode project to build the same App on IOS and OSX. I'm new as OSX developer.
For this Application I'm sharing code to send HTTPS request to a server using NSURLConnection. It works perfectly well with IOS but with OSX I have some troubles.
In OSX, when the request is sent I have an exception in NSURLConnectionLoader (see screenshot) that never happen in IOS. In Xcode if I click many times "Continue" on the debugger the request is sent and I'm receiving correctly the response from the server.
Once the first request has been sent the following requests are sent without error! I have no idea how to progress on this issue.
Any idea is welcomed! I was wondering if it could be due to issue with entitlement and/or conflict with IOS App because it's managed in the same Xcode project.
Regards,
Sébastien.
This can happen on OSX if you have an All Exceptions Breakpoint set for the project. For some reason any HTTPS address will throw an internal exception that will cause this. If you remove the breakpoint it should resolve your issue.
If you run rather than debug, does it just work?