Develop Reference

Xcode BoringSSL peer disconnect causing app to hang on startup

Recently I started getting inconsistent BoringSSL issues that is causing my cordova/ionic app to hang. It happens about 1 out of every 4 or 5 times I launch the app from Xcode to a physically attached test iPhone 6. The test phone uses WiFi only (no carrier network). Having a devil of a time find any solid solutions or what the root of the problem is.
Some indicate its DNS, others say its related to Firebase...I have tried a few of the fixes those threads have mentioned but none are working for me.
[BoringSSL] nw_protocol_boringssl_input_finished(1543) [C3.1:2][0x12fd335c0] Peer disconnected during the middle of a handshake. Sending errSSLClosedNoNotify(-9816) alert
TIC TCP Conn Failed [3:0x2805712c0]: 3:-9816 Err(-9816)
[BoringSSL] nw_protocol_boringssl_input_finished(1543) [C5.1:2][0x12fe46470] Peer disconnected during the middle of a handshake. Sending errSSLClosedNoNotify(-9816) alert
TIC TCP Conn Failed [5:0x280575f80]: 3:-9816 Err(-9816)
[BoringSSL] boringssl_context_alert_callback_handler(3724) [C6.1:2][0x12fd43710] Alert level: fatal, description: inappropriate fallback
[BoringSSL] boringssl_session_errorlog(224) [C6.1:2][0x12fd43710] [boringssl_session_handshake_incomplete] SSL_ERROR_SSL(1): operation failed within the library
[BoringSSL] boringssl_session_handshake_error_print(205) [C6.1:2][0x12fd43710] 5097281768:error:1000043e:SSL routines:OPENSSL_internal:TLSV1_ALERT_INAPPROPRIATE_FALLBACK:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-109.250.2/ssl/tls_record.cc:586:SSL alert number 86
[BoringSSL] boringssl_context_get_error_code(3617) [C6.1:2][0x12fd43710] SSL_AD_INAPPROPRIATE_FALLBACK
TIC TCP Conn Failed [6:0x280576640]: 3:-9860 Err(-9860)
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9860)
Task <02ADA890-35C5-4DE7-B0E5-6EC812CF79E6>.<1> HTTP load failed (error code: -1200 [3:-9860])
Task <02ADA890-35C5-4DE7-B0E5-6EC812CF79E6>.<1> finished with error - code: -1200
nw_protocol_boringssl_get_output_frames(1301) [C1.1:2][0x12fe15ea0] get output frames failed, state 8196
nw_protocol_boringssl_get_output_frames(1301) [C1.1:2][0x12fe15ea0] get output frames failed, state 8196
If the app sees this error when initializing, the app hangs at the splash screen. If it makes it past this issue then the app works just fine and I only see nw_protocol_get_output_frames messages every so often (don't know what those are about either).
Anyone have any ideas as to what is causing this, where to look or possibly what the fix is?
Cordova CLI: 9.0.0 (cordova-lib#9.0.1)
cordova-ios: v5.0.0
Gulp version: CLI version 3.9.1
Gulp local:
Ionic Framework Version: 1.3.4
Ionic CLI Version: 1.7.16
Ionic App Lib Version: 0.7.3
ios-deploy version: 1.9.4
ios-sim version: 8.0.1
OS: Mac OS X El Capitan
Node Version: v6.11.4
Xcode version: Xcode 10.1 Build version 10B61

I was stuck at this error and what I did was enable all kinds of logs on XCode and that revealed that the error with this BoringSSL was from a call to the API Crashlytics of google. What solved this matter to me was enter on firebase, enable crashlytics for my project, install the plugin (https://ionicframework.com/docs/native/firebase-crashlytics) and initialise it.
To find crashlytics on firebase you enter on the console and search on the left, under the menu quality, crashlytics. After that if you have already your GoogleService-Info.plist on your app, what remains is to install the plugin and initialise it according the docs.
[EDIT] Dont know if the above will contribute, because on another batch of tests I found that it didnt fix the issue. But when I add the next lines to config.plist it resolves:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>app-measurement.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
<key>mtalk.google.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
<key>play.googleapis.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
<key>settings.crashlytics.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
<key>googleapis.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
<key>localhost</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>127.0.0.1</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<false/>
</dict>
https://forums.developer.apple.com/thread/42555
https://cocoacasts.com/app-transport-security-has-blocked-my-request

Configure TLS connection with AFNetworking 3.x. Custom root CA certificate

I'm trying to connect to my server which have custom CA root certificate.
I can connect to server with code in my custom AFURLSessionManager
NSSet *certificatesSet = [CryptoProCSP sharedInstance].certsContextSet;
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey withPinnedCertificates:certificatesSet];
securityPolicy.allowInvalidCertificates = true;
securityPolicy.validatesDomainName = false;
self.securityPolicy = securityPolicy;
but getting error
[] nw_coretls_read_one_record tls_handshake_process: [-9801]
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
[Error] POST '(null)' (0) [0.8155 s]: Error Domain=NSURLErrorDomain Code=-1200
"An SSL error has occurred and a secure connection to the server cannot be made."
I'm already changed my plist.info
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>domain.com</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>1.2</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
and server have TLS v1.2
I know problem is different cipher suites, i saw handshake, but how can i customise my request for using necessary cipher suites? I'm sending certificate, but thats not enough. TLS connection failed because of different cipher suites.

iOS App Transport Security not accepting TLSv1.2 connection and plist exceptions not making any difference

I've got an iOS app which uses SSL/HTTPS to communicate with a server. The server is providing a certificate that works over TLSv1.2 (the main requirement of App Transport Security). An example URL that demonstrates this (where the TLSv1.2 can be verified by checking the certificate) is https://api.branon.co.uk/checkOnline.
However, the app is throwing errors relating to the App Transport Layer - errors that, when Googled - imply it's because the server isn't working over TLSv1.2. An example error is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
and:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
I even added a bunch of exceptions to the plist file, such as:
<dict>
<key>NSExceptionDomains</key>
<dict>
<key><my top level domain - the app uses a subdomain - allowed below></key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
</plist>
but this doesn't change the result.
The certificate used is a free certificate issued from StartCom. My nginx config is below (just for reference).
server {
listen [::]:443 ssl;
listen 443 ssl;
ssl on;
ssl_certificate /root/ssl/<domain>.crt;
ssl_certificate_key /root/ssl/server.key;
server_name api.<domain>;
access_log /var/log/nginx/api.access.log;
error_log /var/log/nginx/api.error.log;
location ~ ^/([a-zA-Z]+)$ {
proxy_pass http://127.0.0.1:5000/$1;
}
}
Does anybody have any idea why this is happening?
Thanks!
Update:
Following the results of #Paulw11's suggested test (below) running nscurl, I decided just to try disabling App Transport Security entirely. I changed the App Transport Security dictionary in my plist to the below:
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
and am still getting the same error! So if it's not App Transport Security, what could be causing this? That error I'm getting again is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

The server does not provide a complete certificate chain in its SSL/TLS handshake. While some clients can handle this and build out a trust chain, others cannot.
You can find the missing intermediate certificate via https://whatsmychaincert.com/?api.branon.co.uk and serve it along with your site's certificate in your SSL configuration in nginx.
Do remember to remove any ATS exceptions that you may have put in place!

The format of the keys I use to allow older versions of TLS (for amazonaws, for example) looks like this:
<key>NSIncludesSubdomains</key>
<string>NO</string>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<string>NO</string>
The rest of the structure looks the same. At one point, we had this at the root level.
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>

NSCurl ATS works, IOS 9 does not

Here is the log from NSCURL:
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : PASS
---
And from IOS 9 simulator:
2015-11-02 20:52:29.928 energyvue[1137:17754] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
The url is on port 9445 though. Is there anyway to make this work without overriding ats transport security?

I had same problem, and communication works on Simulator iOS9.2 but not into device.
I fixed my problem checking CFNetwork log on device (http://jonathanblog2000.blogspot.com.br/2015/07/using-cfnetworkdiagnostics-for-network.html) and using a Cordova ATS Hybrid App Demo as sample (http://moduscreate.com/cordova-5-ios-9-security-policy-changes/).
My final ATS configuration:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>mydomain.com</key>
<dict>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
My environment:
API using HTTPS TLSv1.2 with SNI (Amazon AWS Cloud front, S3 and Elasticbeanstalk)
iPhone 5S iOS 9.2 and Mac OS X El Capitan
Hibrid App with Ionic Framework and AngularJS

CFNetwork SSLHandshake failed iOS 9

has anyone with the iOS 9 beta 1 had this issue?
I use standard NSURLConnection to connect to a webservice and as soon as a call is made to the webservice i get the below error. This is currently working in iOS 8.3
Possible beta bug? any ideas or thoughts would be great ! I know its very early in iOS 9 development
Here is the full error:
CFNetwork SSLHandshake failed (-9824)
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
NSURLRequest * urlRequest = [NSURLRequest requestWithURL:[NSURL URLWithString:#"https://mywebserviceurl"]];
NSURLResponse * response = nil;
NSError * error = nil;
NSData * data = [NSURLConnection sendSynchronousRequest:urlRequest
returningResponse:&response
error:&error];

iOS 9 and OSX 10.11 require TLSv1.2 SSL for all hosts you plan to request data from unless you specify exception domains in your app's Info.plist file.
The syntax for the Info.plist configuration looks like this:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>yourserver.com</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow insecure HTTP requests-->
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
If your application (a third-party web browser, for instance) needs to connect to arbitrary hosts, you can configure it like this:
<key>NSAppTransportSecurity</key>
<dict>
<!--Connect to anything (this is probably BAD)-->
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
If you're having to do this, it's probably best to update your servers to use TLSv1.2 and SSL, if they're not already doing so. This should be considered a temporary workaround.
As of today, the prerelease documentation makes no mention of any of these configuration options in any specific way. Once it does, I'll update the answer to link to the relevant documentation.

In iOS 10+, the TLS string MUST be of the form "TLSv1.0". It can't just be "1.0". (Sigh)
The following combination of the other Answers works.
Let's say you are trying to connect to a host (YOUR_HOST.COM) that only has TLS 1.0.
Add these to your app's Info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>YOUR_HOST.COM</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSTemporaryExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>

For more info Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11
Curiously, you’ll notice that the connection attempts to change the
http protocol to https to protect against mistakes in your code where
you may have accidentally misconfigured the URL. In some cases, this
might actually work, but it’s also confusing.
This Shipping an App With App Transport Security covers some good debugging tips
ATS Failure
Most ATS failures will present as CFErrors with a code in the -9800
series. These are defined in the Security/SecureTransport.h header
2015-08-23 06:34:42.700 SelfSignedServerATSTest[3792:683731] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
CFNETWORK_DIAGNOSTICS
Set the environment variable CFNETWORK_DIAGNOSTICS to 1 in order to
get more information on the console about the failure
nscurl
The tool will run through several different combinations of ATS
exceptions, trying a secure connection to the given host under each
ATS configuration and reporting the result.
nscurl --ats-diagnostics https://example.com

If your backend uses a secure connection ant you get using NSURLSession
CFNetwork SSLHandshake failed (-9801)
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
you need to check your server configuration especially to get ATS version and SSL certificate Info:
Instead of just Allowing Insecure Connection by setting NSExceptionAllowsInsecureHTTPLoads = YES , instead you need to Allow Lowered Security in case your server do not meet the min requirement (v1.2) for ATS (or better to fix server side).
Allowing Lowered Security to a Single Server
<key>NSExceptionDomains</key>
<dict>
<key>api.yourDomaine.com</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
use openssl client to investigate certificate and get your server configuration using openssl client :
openssl s_client -connect api.yourDomaine.com:port //(you may need to specify port or to try with https://... or www.)
..find at the end
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: //
Session-ID-ctx:
Master-Key: //
Key-Arg : None
Start Time: 1449693038
Timeout : 300 (sec)
Verify return code: 0 (ok)
App Transport Security (ATS) require Transport Layer Security (TLS) protocol version 1.2.
Requirements for Connecting Using ATS:
The requirements for a web service connection to use App Transport Security (ATS) involve the server, connection ciphers, and certificates, as follows:
Certificates must be signed with one of the following types of keys:
Secure Hash Algorithm 2 (SHA-2) key with a digest length of at least 256 (that is, SHA-256 or greater)
Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits
Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits An
invalid certificate results in a hard failure and no connection.
The following connection ciphers support forward secrecy (FS) and work
with ATS:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Update: it turns out that openssl only provide the minimal protocol version Protocol : TLSv1 links

After two days of attempts and failures, what worked for me is this code of womble
with One change, according to this post we should stop using sub-keys associated with the NSExceptionDomains dictionary of that kind of Convention
NSTemporaryExceptionMinimumTLSVersion
And use at the new Convention
NSExceptionMinimumTLSVersion
instead.
apple documentation
my code
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>YOUR_HOST.COM</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>

Another useful tool is nmap (brew install nmap)
nmap --script ssl-enum-ciphers -p 443 google.com
Gives output
Starting Nmap 7.12 ( https://nmap.org ) at 2016-08-11 17:25 IDT
Nmap scan report for google.com (172.217.23.46)
Host is up (0.061s latency).
Other addresses for google.com (not scanned): 2a00:1450:4009:80a::200e
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: C
Nmap done: 1 IP address (1 host up) scanned in 5.48 seconds

This error was showing up in the logs sometimes when I was using a buggy/crashy Cordova iOS version. It went away when I upgraded or downgraded cordova iOS.
The server I was connecting to was using TLSv1.2 SSL so I knew that was not the problem.

In your project .plist file in add this permission :
<key>NSAppTransportSecurity</key>
<dict>
<!--Connect to anything (this is probably BAD)-->
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>

The syntax for the Info.plist configuration
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>yourserver.com</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow insecure HTTP requests-->
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>

Updated Answer (post-WWDC 2016):
iOS apps will require secure HTTPS connections by the end of
2016. Trying turn ATS off may get your app rejected in the future.
App Transport Security, or ATS, is a feature that Apple introduced in iOS 9. When ATS is enabled, it forces an app to connect to web services over an HTTPS connection rather than non secure HTTP.
However, developers can still switch ATS off and allow their apps to send data over an HTTP connection as mentioned in above answers. At the end of 2016, Apple will make ATS mandatory for all developers who hope to submit their apps to the App Store. link

The device I tested at had wrong time set. So when I tried accessing a page with a certificate that would run out soon it would deny access because the device though the certificate had expired. To fix, set proper time on the device!