iOS9 NSAppTransportSecurity with s3.amazon.com - ios

I'm testing an app in iOS9 and getting SSL errors with ATS loading images from amazon.com. All my stuff is being delivered over https but I'm still having issues.
I've added the correct ATS keys (worked on another app).
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>amazonaws.com</key>
<dict>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
I've been all over the forums, adc, and SO and I'm not having any luck.
I've tried removing ATS entirely, and I still get the same error.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Error:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey={type = immutable, count = 3, values = (
0 :
1 :
2 :
)}, NSUnderlyingError=0x7ffe70e2c690 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, kCFStreamPropertySSLPeerCertificates={type = immutable, count = 3, values = (
0 :
1 :
2 :
)}, _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, _kCFStreamErrorCodeKey=-9802}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSErrorFailingURLStringKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSErrorClientCertificateStateKey=0}
Static files: AWS Amazon
Host: Heroku
Backend: Django
APIs: Django Rest Framework
I've tried every configuration I could find on ATS, cleaned/reset/rebuilt, modified the Django requests (originally they included querystring authentication), etc. I'm stumped on this and blocked.

After I did a substring replace on https links -- I got the messages saying ATS was blocking them. I knew I had the correct keys in the Info.plist - so I figured it had to be another Info.plist somewhere.
It turns out that the there was an Info.plist in the resources but it wasn't doing anything. We had to add the ATS keys to the Info tab on the Target panel. Not 100% sure what the difference is on these two as I've always edited the Info.plist in the past.

I had to add amazonaws.com to Info.plist like you did and to user the SDWebImageAllowInvalidSSLCertificates as an option for the sd_setImageWithURL: method to get it working.

Related

Configure TLS connection with AFNetworking 3.x. Custom root CA certificate

I'm trying to connect to my server which have custom CA root certificate.
I can connect to server with code in my custom AFURLSessionManager
NSSet *certificatesSet = [CryptoProCSP sharedInstance].certsContextSet;
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey withPinnedCertificates:certificatesSet];
securityPolicy.allowInvalidCertificates = true;
securityPolicy.validatesDomainName = false;
self.securityPolicy = securityPolicy;
but getting error
[] nw_coretls_read_one_record tls_handshake_process: [-9801]
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
[Error] POST '(null)' (0) [0.8155 s]: Error Domain=NSURLErrorDomain Code=-1200
"An SSL error has occurred and a secure connection to the server cannot be made."
I'm already changed my plist.info
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>domain.com</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>1.2</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
and server have TLS v1.2
I know problem is different cipher suites, i saw handshake, but how can i customise my request for using necessary cipher suites? I'm sending certificate, but thats not enough. TLS connection failed because of different cipher suites.

SSL error when trying to load TLSv1.2 site in an iframe inside UIWebView

I am displaying a web site in my iOS app (user's profile) that contains an option to purchase some services. The purchase is done inside the UIWebView by opening a third party payment page inside an iframe.
When trying to load this payment page, an SSL error is sent to webView:didFailLoadWithError: delegate method.
The SSL error:
Error Domain=NSURLErrorDomain Code=-1200 \"An SSL error has occurred and a secure connection to the server cannot be made.\" UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x610000255c90 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 \"An SSL error has occurred and a secure connection to the server cannot be made.\" UserInfo={NSErrorFailingURLStringKey=https://SOME-URL, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://SOME-URL, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://SOME-URL, NSErrorFailingURLStringKey=https://SOME-URL, _kCFStreamErrorDomainKey=3}
I have tested this URL in a browser and I see that it uses TLSv1.2 so I don't understand what is the problem.
The same iframe works as expected in iOS Safari and in an Android app...
When I disable ATS (NSAppTransportSecurity) in the Info.plist then the payment page is displayed, but I'm afraid that Apple won't allow it is the AppStore (and I don't want to do it - it's a payment page and it should be secure).
This is the payment URL:
https://cgmpi.creditguard.co.il/CGMPI_Server/PerformTransaction?txId=a51270b0-9cb5-43aa-83cc-1cb0abe08691
I would put an exception regarding the webviews, the domain and the TLS version in the Info.plist to make sure that the ATS layer won't block any connection.
Something like this:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>creditguard.co.il</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
</dict>
</dict>
</dict>

iOS 10, Swift 3 API call SSL error

I am working on a Mobile app built in cordova which uses REST API. The App works well in itself, but I have a Share Extension built with xcode for which I get this error for an API call.
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fe888624290 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://www.example.com/, NSErrorFailingURLStringKey=https://www.example.com/, _kCFStreamErrorDomainKey=3}
I have this in the Info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>www.example.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSRequiresCertificateTransparency</key>
<false/>
</dict>
</dict>
</dict>
Your server SSL is probably not secure or correctly installed.
You should check if it is correctly installed with some of the available webservices out there or something.
Example
or this one
It can also be that your SSL is self-signed and simply not trusted by iOS as trusted.
First, test your server with :
/usr/bin/nscurl --ats-diagnostics www.mydomain.com
You said your main app is well-working, so the issue may be in your extension plist.
Did you add the same ATS entry in your extension plist ?

'An SSL error has occurred and a secure connection to the server cannot be made' with verified certificate

I get the following error message (which is identical every try)
2016-07-20 20:09:28.013 MyApp[1140:374263] CFNetwork SSLHandshake failed (-9806)
2016-07-20 20:09:28.014 MyApp[1140:374263] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)
error=Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x154dda750 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://example.com:8080/api/login, NSErrorFailingURLStringKey=https://example.com:8080/api/login, _kCFStreamErrorDomainKey=3})
The certificate is a validated one provided by letsencrypt. I have tested my web server configuration over and over, and everything seems to be like it should.
Running the command openssl s_client -connect example.com:8080/api/login -tls1_2 gives all the expected results:
-It verifies the authority as DST Root CA X3, which is included in Apples root CA list
-The return is code is Verify return code: 0 (ok)
I have also run several ssl diagnostic tool websites such as digicert, which has given no error results.
I can load the domain from Safari ON the iOS device, as well as chrome from my computer without having to accept "untrusted certificates".
Any suggestions?
In case anyone encounter something the same problem, ill answer my own question.
At the time of the question, Let's Encrypt (the CA of the certificate used) did not support forward secrecy for their https certificates (atleast not the one I got). Apple by default required this in the iOS version used at that time (I believe it was around 9.5, but I might be mistaken here).
To get around the requirement of forward secrecy, this can be specified in the Info.plist under domain exceptions.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>example.com</key>
<dict>
<key>NSTemporaryExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
Sometime along the road, they changed this to default land on false. I am not sure when this was, but after iOS 10.0 it was never a problem.

NSURLSession/NSURLConnection HTTP load failed wildcard certificate ios8/9

I'm trying to call a public api with a valid Wildcar SSL certificate (bought) but the connection fail with error:
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “api.mydomain.com” which could put your confidential information at risk." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, NSErrorPeerCertificateChainKey={type = immutable, count = 1, values = (
0 :
The wildcard certificate cover allsubdomains : *.mydomain.com
The host that i'm trying to connect is : api.mydomain.com
I tryed to add exception to App Transport security but not work
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>mydomain.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
How can fix the problem?

Resources