I have an issue that appeared recently.
In my code, I load some images from an HTTP server:
let urlPicture = "http://images.mydomain.com/" + self.currentUser.pic
imageView.sd_setImageWithURL(NSURL(string: urlPicture))
I do not use HTTPS for my images server because I guess it would have been too slow, but maybe I'm wrong on this point.
A nodejs server is running in an AWS EC2 instance, and listens on port 80 to manage images.
Due to ATS restrictions, I declare an exception in my Info.plist file for my images subdomain:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>images.mydomain.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSRequiresCertificateTransparency</key>
<false/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<false/>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<true/>
</dict>
</dict>
</dict>
Recently I added a new subdomain on the same AWS instance: https://api.mydomain.com
Another nodejs server listens on 443 port and manages the API.
Since this change, everything is fine in my app when I call the API, but when I load images I am facing the following issue:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Any idea fo fix that?
I found the issue.
It was on server side, the HTTPS server running on the same AWS instance is configured with HSTS:
var ONE_YEAR = 31536000000;
app.use(helmet.hsts({
maxAge: ONE_YEAR,
includeSubdomains: true,
force: true
}));
The variable includeSubdomains set to true forces my other domain images.mydomain.com to use HTTPS protocol while it is a HTTP server.
To solve it, just exclude others domains in HSTS configuration:
var ONE_YEAR = 31536000000;
app.use(helmet.hsts({
maxAge: ONE_YEAR,
includeSubdomains: false,
force: true
}));
Can you add this in plist.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Related
I am using Alamofire to connect to a web service. It seems as if the server has an invalid certificate. I would like to have alamofire ignore this invalid cert. I added the following values to my info.plist:
<dict>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>example.com</key>
<dict>
<key>TemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>ExceptionRequiresForwardSecrecy</key>
<false/>
<key>IncludesSubdomains</key>
<true/>
<key>ExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
But I am still getting this issue. What else should I do to allow this invalid cert?
UPDATE: Still having same issue.
I added this to my app Info.plist file to opt out of ATS:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Still getting this error when I try to do a GET request from my http resource (have no control over the server):
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
My complete Plist file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleExecutable</key>
<string>$(EXECUTABLE_NAME)</string>
<key>CFBundleIdentifier</key>
<string>com.owlpixel.xxxxx</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>$(PRODUCT_NAME)</string>
<key>CFBundlePackageType</key>
<string>FMWK</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>$(CURRENT_PROJECT_VERSION)</string>
<key>NSPrincipalClass</key>
<string></string>
</dict>
</plist>
ATS should be disabled, why does it still block me? any ideas?
You should give following code in your plist.
NSAllowArbitraryLoads boolean yes
SOURCE for question is below
Transport security has blocked a cleartext HTTP
Try to find if there are a lot of .plist files in you Xcode project (or Workspace).
I had the same problem and it was resolved by finding all Info.plist files in my Workspace and adding NSAppTransportSecurity logic to responsible for external (http://) calls .plist file.
Heyy, I have spent the last day or so racking my brain trying and failing to disable the ATS, I know it is deemed bad too, but I am currently only working on the app internally. I have tried many suggestions online to no avail, latest try below of info.plist. I am lost as to what to do?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleExecutable</key>
<string>$(EXECUTABLE_NAME)</string>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>$(PRODUCT_NAME)</string>
<key>CFBundlePackageType</key>
<string>BNDL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>1</string>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>localhost</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow HTTP requests-->
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
</dict>
</plist>
Debug console eror print
error=Optional(Error Domain=NSURLErrorDomain Code=-1022 "The resource
could not be loaded because the App Transport Security policy requires
the use of a secure connection."
UserInfo={NSUnderlyingError=0x7f9670e85620 {Error
Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"},
NSErrorFailingURLStringKey=http://localhost/sfc/manualorder.php,
NSErrorFailingURLKey=http://localhost/sfc/manualorder.php,
NSLocalizedDescription=The resource could not be loaded because the
App Transport Security policy requires the use of a secure
connection.})
If you want to disable ATS, you can just add this to the Info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
And when you're finished working on your app, you can re enable it and go granular with whitelisting your domains.
Like this, the first includes all subdomains and the second does not:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>maindomain.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>other.domain.net</key>
<dict>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
One added step that you may require if you're testing on simulator, is to both clean the project and reset the content and settings of the simulator, then build and run again.
I'm trying to install a beta app to an iOS device and am hosting the manifest.plist and IPA file on HTTPS with a self-signed certificate. When I hit the itms-services:// link, I get an error of "Cannot connect to <ip address>".
itms-services link:
itms-services://?action=download-manifest&url=https://10.0.1.2:1338/ipa/manifest.plist
plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>items</key>
<array>
<dict>
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>https://10.0.1.2:1338/ipa/test.ipa</string>
</dict>
</array>
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>com.company.test</string>
<key>bundle-version</key>
<string>1.0</string>
<key>kind</key>
<string>software</string>
<key>title</key>
<string>test</string>
</dict>
</dict>
</array>
</dict>
</plist>
Try adding your certificate to the trusted ones (probably, easiest thing to do is to mail a cer file to device and open it from standard mail app to install).
Another thing you need to make sure is that your server supports TLS 1.2 and Forward Secrecy.
You can use nscurl --ats-diagnostics https://example.com/app.ipa to check if everything done right.
Its possible:
Create the certificate file (export as DER encode X.509)
Access file from device via HTTP (like the manifest.plist in your example)
Agree to install it in device
Turn it on: https://support.apple.com/en-au/HT204477
I have a application run as a daemon. I put the application plist under under /Library/LaunchDaemons on iOS 8 device, and launch it by executing the command
launchctl load /Library/LaunchDaemons/com.mycompany.testapp.plist
In my laumchd plist Note that the application is running as a daemon by executing the command
I would like to make this application restart only when it is crash or is killed. If I intentionally exit it with code 0, I don't want it to restart. I've tried the below configuration. This does work on iOS 7, but do NOT work on iOS 8.
<key>KeepAlive</key>
<dict>
<key>SuccessfulExit</key>
<true/>
</dict>
Thus I tried adding another key StartInterval which's set as 10.
<key>StartInterval</key>
<integer>10</integer>
I tested this scenario by exit with code 0 and by kill my application with command kill -9 [PID]. This key makes my application to start again after 10 seconds after being killled. However, I have a concern about the result of this key while my application is running.
Does this key have an affect on the started and running application. I've monitored the log, seem StartInterval key do nothing with the running daemon. However, I'm quite not sure about it. Could you explain more information about it? Thank you very much.
According to this link http://pitaya.ch/documentation/iOS8_0APIDiffs.html all traces to launchd in the headers have disappeared. (search for /usr/include/launch.h, so you see it was removed)
Seems because the moved to new libxpc as base for launchd (see last slide in http://technologeeks.com/docs/launchd.pdf).
Seems like they changed launchd behaviour in iOS 8. Of Apple's own LaunchDaemons (located under /System/Library/LaunchDaemons/) some also have a KeepAlive-property in Dictionary format. If you kill them, they are respawned by launchd instantly.
But after some testing the only way to have KeepAlive-property working, is to add either add LaunchEvents (see slide 21ff in http://technologeeks.com/docs/launchd.pdf) and/or MachServices to the plist or to change the KeepAlive-property to:
<key>KeepAlive</key>
<true/>
But then there is NO way to kill your deamon without launchd respawning it, aside from executing launchctl unload /Library/LaunchDaemons/com.mycompany.testapp.plist.
My working plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Program</key>
<string>/path/to/your/daemon</string>
<key>RunAtLoad</key>
<true/>
<key>Label</key>
<string>com.mycompany.testapp</string>
<key>EnablePressuredExit</key>
<false/>
<key>UserName</key>
<string>root</string>
<key>JetsamProperties</key>
<dict>
<key>JetsamPriority</key>
<integer>-49</integer>
<key>JetsamMemoryLimit</key>
<integer>10000</integer>
</dict>
<key>POSIXSpawnType</key>
<string>Adaptive</string>
<key>Disabled</key>
<false/>
<key>ThrottleInterval</key>
<integer>5</integer>
<key>KeepAlive</key>
<dict>
<key>SuccessfulExit</key>
<false/>
<key>Crashed</key>
<true/>
</dict>
<key>MachServices</key>
<dict>
<key> com.mycompany.testapp.someMachService</key>
<true/>
</dict>
<key>EnableTransactions</key>
<false/>
<key>LaunchEvents</key>
<dict>
<key>com.apple.notifyd.matching</key>
<dict>
<key>SignificantTimeChangeNotification</key>
<dict>
<key>Notification</key>
<string>SignificantTimeChangeNotification</string>
</dict>
<key>SomeMoreNotifications</key>
[...]
</dict>
</dict>
</dict>
</plist>
About the StartInterval-property: Even Apple has this property in addition to the KeepAlive-property for some important daemons (e.g. com.apple.locationd) and they seem running just fine. So I don't think you have to worry...
Use false with SuccessfulExit key.
SuccessfulExit
If true, the job will be restarted as long as the program exits and with an exit status of zero.
If false, the job will be restarted in the inverse condition. This key implies that "RunAtLoad"
is set to true, since the job needs to run at least once before we can get an exit status.