@Matt:
Thanks! I'll try your tips.
@Quinn:
We use Alamofire (which uses URLSession) and WKWebView.
I assume that SFSafariViewController ist not affected by these settings, correct?
Since we still need to support iOS 13 (client's requirement), it'll experimental for now.
Lars
lpe
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
Last seen
User for
From
Hamburg, Deutschland
Post
Replies
Boosts
Views
Activity
@Matt:
I was able to produce a failing connection (wrong SPKI-SHA256-BASE64) with a certificate error trying to load https://apple.com. But downloading https://www.apple.com still works – even though NSIncludesSubdomains is true.
Testing more, I found that some subdomains are pinned correctly, some are not. This is also the case for the sub domains I was originally trying to pin in my project.
Info.plist section:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSPinnedDomains</key>
<dict>
<key>apple.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSPinnedCAIdentities</key>
<array>
<dict>
<key>SPKI-SHA256-BASE64</key>
<string>r/333mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=</string>
</dict>
</array>
</dict>
</dict>
</dict>
Code:
class ViewController: UIViewController
{
		
		private lazy var urlSession: URLSession =
		{
				URLSession(configuration: URLSessionConfiguration.default, delegate: nil, delegateQueue: .main)
		}()
		
		override func viewDidLoad()
		{
				super.viewDidLoad()
				
				[
						"apple.com",
						"www.apple.com",
						"images.apple.com",
						"store.apple.com",
				]
				.map { URL(string: "https://\($0)")! } /* intentional crash on failure */
				.forEach
				{ url in
						var urlRequest = URLRequest(url: url)
						urlRequest.httpMethod = "GET"
						let task = self.urlSession.dataTask(with: urlRequest)
						{ (data, response, error) in
								var text: String?
								if let data = data
								{
										text = String(data: data, encoding: .ascii)?
														.trimmingCharacters(in: .whitespacesAndNewlines)
								}
								
								let result = "\(text ?? data?.debugDescription ?? error.debugDescription)".prefix(100)
								print("URL: \(url): result: \(result)")
						}
						
						task.resume()
				}
								
		}
		
}
Output (filtered)
URL: https://apple.com: result: Optional(Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You m
URL: https://images.apple.com: result: Optional(Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You m
URL: https://www.apple.com: result: <!DOCTYPE html>
URL: https://store.apple.com: result: Optional(Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You m
Thanks
Lars
Hi Matt,
unless I am mistaken, that is not quite what I am looking at.
I am intentionally using the wrong key to provoke an SSL error.
r/333mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= does not match the RootCA public key hash for www.apple.com. Why does the request succeed?
I even tried dGVzdAo= (Base64 for "test"). Same result:
Requests fail for some subdomains (expected behaviour) but I get a valid response for www.apple.com – which is unexpected.
Similar behaviour for some other domains (I don't want to post them here).
Thanks,
Lars
Matt,
here you go: FB8989889
Lars
@Matt: done
I filed a bug report at https://bugs.swift.org/browse/SR-16062
Follow-up: Apparently this has been fixed for single level subdomains like foo.apple.com but is still not correctly implemented for multiple levels like foo.bar.apple.com
iOS 15.4.1, iPhone SE 1
Same here, I do not want do spend € 99 on writing a simple learning app for my six year old.