Problems using NSRequiresCertificateTransparency on iOS 9/10/11

App & System Services Core OS
douglasantoniaz OP
Created Jul ’21
Replies 1
Boosts 0
Views 770
Participants 2

I've noticed some strange behavior with my apps running on devices with iOS 9/10/11 when using NSRequiresCertificateTransparency = true. I configured my ATS in info.plist as bellow:

<key>NSAppTransportSecurity</key>
<dict>
      <key>NSExceptionDomains</key>
      <dict>
            <key>google.com</key>
            <dict>
                  <key>NSIncludesSubdomains</key>
                  <true/>
                  <key>NSRequiresCertificateTransparency</key>
                  <true/>
            </dict>
      </dict>
</dict>

It works well on iOS 12 and above, but on older versions I get this error:

Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server can't be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x60400010b130>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fd828866400) s: www.google.com i: GTS CA 1O1>",
    "<cert(0x7fd828858800) s: GTS CA 1O1 i: GlobalSign>"
), NSUnderlyingError=0x6000004401e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server can't be made." UserInfo={NSErrorFailingURLStringKey=https://www.google.com/, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fd828866400) s: www.google.com i: GTS CA 1O1>",
    "<cert(0x7fd828858800) s: GTS CA 1O1 i: GlobalSign>"
), _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x60400010b130>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server can't be made., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://www.google.com/, _kCFStreamErrorCodeKey=-9802}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server can't be made., NSErrorFailingURLKey=HTTPS://WWW.GOOGLE.COM, NSErrorFailingURLStringKey=HTTPS://WWW.GOOGLE.COM, NSErrorClientCertificateStateKey=0}

At first, I thought it would be a configuration in my server side, but I've tested with google.com (as I posted above) and the same error occurs. I've also tested with apple.com and it worked perfectly, even on iOS 10, but any other URL I've tried, I got that error.

Any ideas why this is happening?

Replies  1
Boosts  0
Views  770
Participants  2
Systems Engineer OP
Apple
Jul ’21

Any ideas why this is happening?

Yes, for iOS 9, 10, and 11 the local device CT logs are out of date at this point and so additional verifications cannot be made for certificates out on the internet. I would advise updating to a more recent version of iOS. If you need to support iOS 11 and you are seeing these failures with NSRequiresCertificateTransparency, then I would advise taking a look into how trust is evaluated with SecTrustEvaluateWithError for these network calls and performing your own trust evaluation determination based on the output.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Problems using NSRequiresCertificateTransparency on iOS 9/10/11
First post date Last post date
 
 
Q