Develop Reference

Configure TLS connection with AFNetworking 3.x. Custom root CA certificate

I'm trying to connect to my server which have custom CA root certificate.
I can connect to server with code in my custom AFURLSessionManager
NSSet *certificatesSet = [CryptoProCSP sharedInstance].certsContextSet;
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey withPinnedCertificates:certificatesSet];
securityPolicy.allowInvalidCertificates = true;
securityPolicy.validatesDomainName = false;
self.securityPolicy = securityPolicy;
but getting error
[] nw_coretls_read_one_record tls_handshake_process: [-9801]
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
[Error] POST '(null)' (0) [0.8155 s]: Error Domain=NSURLErrorDomain Code=-1200
"An SSL error has occurred and a secure connection to the server cannot be made."
I'm already changed my plist.info
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>domain.com</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>1.2</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
and server have TLS v1.2
I know problem is different cipher suites, i saw handshake, but how can i customise my request for using necessary cipher suites? I'm sending certificate, but thats not enough. TLS connection failed because of different cipher suites.

SSL error when trying to load TLSv1.2 site in an iframe inside UIWebView

I am displaying a web site in my iOS app (user's profile) that contains an option to purchase some services. The purchase is done inside the UIWebView by opening a third party payment page inside an iframe.
When trying to load this payment page, an SSL error is sent to webView:didFailLoadWithError: delegate method.
The SSL error:
Error Domain=NSURLErrorDomain Code=-1200 \"An SSL error has occurred and a secure connection to the server cannot be made.\" UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x610000255c90 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 \"An SSL error has occurred and a secure connection to the server cannot be made.\" UserInfo={NSErrorFailingURLStringKey=https://SOME-URL, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://SOME-URL, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://SOME-URL, NSErrorFailingURLStringKey=https://SOME-URL, _kCFStreamErrorDomainKey=3}
I have tested this URL in a browser and I see that it uses TLSv1.2 so I don't understand what is the problem.
The same iframe works as expected in iOS Safari and in an Android app...
When I disable ATS (NSAppTransportSecurity) in the Info.plist then the payment page is displayed, but I'm afraid that Apple won't allow it is the AppStore (and I don't want to do it - it's a payment page and it should be secure).
This is the payment URL:
https://cgmpi.creditguard.co.il/CGMPI_Server/PerformTransaction?txId=a51270b0-9cb5-43aa-83cc-1cb0abe08691

I would put an exception regarding the webviews, the domain and the TLS version in the Info.plist to make sure that the ATS layer won't block any connection.
Something like this:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>creditguard.co.il</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
</dict>
</dict>
</dict>

iOS 10, Swift 3 API call SSL error

I am working on a Mobile app built in cordova which uses REST API. The App works well in itself, but I have a Share Extension built with xcode for which I get this error for an API call.
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fe888624290 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://www.example.com/, NSErrorFailingURLStringKey=https://www.example.com/, _kCFStreamErrorDomainKey=3}
I have this in the Info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>www.example.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSRequiresCertificateTransparency</key>
<false/>
</dict>
</dict>
</dict>

Your server SSL is probably not secure or correctly installed.
You should check if it is correctly installed with some of the available webservices out there or something.
Example
or this one
It can also be that your SSL is self-signed and simply not trusted by iOS as trusted.

First, test your server with :
/usr/bin/nscurl --ats-diagnostics www.mydomain.com
You said your main app is well-working, so the issue may be in your extension plist.
Did you add the same ATS entry in your extension plist ?

https request with nsurlconnection is time out in ios

I try to request with HTTPS but it not worked ios 8 and ios 9 for this problem I chanced the info.plis like below. But i still get error: Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." _kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>domainname.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
</dict>
</dict>
</dict>
How can I solve this problem ? Could you help me?

iOS9 NSAppTransportSecurity with s3.amazon.com

I'm testing an app in iOS9 and getting SSL errors with ATS loading images from amazon.com. All my stuff is being delivered over https but I'm still having issues.
I've added the correct ATS keys (worked on another app).
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>amazonaws.com</key>
<dict>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
I've been all over the forums, adc, and SO and I'm not having any luck.
I've tried removing ATS entirely, and I still get the same error.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Error:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey={type = immutable, count = 3, values = (
0 :
1 :
2 :
)}, NSUnderlyingError=0x7ffe70e2c690 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, kCFStreamPropertySSLPeerCertificates={type = immutable, count = 3, values = (
0 :
1 :
2 :
)}, _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, _kCFStreamErrorCodeKey=-9802}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSErrorFailingURLStringKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSErrorClientCertificateStateKey=0}
Static files: AWS Amazon
Host: Heroku
Backend: Django
APIs: Django Rest Framework
I've tried every configuration I could find on ATS, cleaned/reset/rebuilt, modified the Django requests (originally they included querystring authentication), etc. I'm stumped on this and blocked.

After I did a substring replace on https links -- I got the messages saying ATS was blocking them. I knew I had the correct keys in the Info.plist - so I figured it had to be another Info.plist somewhere.
It turns out that the there was an Info.plist in the resources but it wasn't doing anything. We had to add the ATS keys to the Info tab on the Target panel. Not 100% sure what the difference is on these two as I've always edited the Info.plist in the past.

I had to add amazonaws.com to Info.plist like you did and to user the SDWebImageAllowInvalidSSLCertificates as an option for the sd_setImageWithURL: method to get it working.