http connections - App Transport Security

In yesterday's Platforms State of the Union session, they mentioned that http connections are no longer allowed with iOS 9 compiled apps. This will probably be covered in Thursday morning's networking/NSURLSession session. But that session will not be live streamed, because it is not in the Presidio.


I've looked around for docs on this, but I can't seem to find anything. That usually means I'm not doing it right...


Help?


Goal: I write an app where the user enters URL's into the app, which then are used to download content. I need to be able to support servers that only use http or use self-signed certificates. Obviously I can't prefill a user's URL into my Info.plist.

Up vote post of Rumple Down vote post of Rumple
4.1k views
Posted by
Rumple
Reply
Add a Comment

Accepted Reply

I don't know if there's any proper documentation on it yet, but if you do a quick search here (for example, by looking at the "More Like This" list of threads at the bottom of this page...) there is a plist key that will disable it for now.


thread: Application Transport Security ?

Posted by
junkpile
Up vote reply of junkpile Down vote reply of junkpile
Post marked as solved
Add a Comment

Replies

Not sure on this but I'm finding issues in the beta with NSURLSession and HTTPS connections. Our app supports both self-signed and valid certificates but both are failing with:-


CFNetwork SSLHandshake failed (-9824)

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)


From what I can tell, the SessionDidReceiveAuthenticationChallengeBlock is never called.

Posted by
legsak1mbo
Up vote reply of legsak1mbo Down vote reply of legsak1mbo
Add a Comment

I don't know if there's any proper documentation on it yet, but if you do a quick search here (for example, by looking at the "More Like This" list of threads at the bottom of this page...) there is a plist key that will disable it for now.


thread: Application Transport Security ?

Posted by
junkpile
Up vote reply of junkpile Down vote reply of junkpile
Post marked as solved
Add a Comment

Yeah, I am getting the same thing with https URLs. And the certificate we're using is not self-signed. Seems to me that there are still issues on their side related to this. Maybe it will be fixed in the next beta.


In the meantime, I'm using the plist key from the other thread.

Posted by
siancu
Up vote reply of siancu Down vote reply of siancu
Add a Comment

Maybe the certificate itself or one on the chain are a SHA-1 certificate? Google chrome doesn't support these certificates, even if isn't self signed, and maybe iOS 9 are doing it too.

Posted by
Er_Maqui
Up vote reply of Er_Maqui Down vote reply of Er_Maqui
Add a Comment

The info you are looking for:


NSAppTransportSecurity
NSExceptionDomains
"example.com"
NSIncludesSubdomains = YES
NSExceptionRequiresForwardSecrecy = NO
NSExceptionMinimumTLSVersion = "TLSv1.1"


Check it out in WWDC session 711

https://developer.apple.com/videos/wwdc/2015/?id=711 @ 5:55

Posted by
Jeroen
Up vote reply of Jeroen Down vote reply of Jeroen
Add a Comment

Well, I've made a sample project that tries to get https://www.apple.com and it fails with the exact same error. I've opened a radar (21337673) and attached the sample project to it. Let's see if I get any response.


I will check the SHA-1 thing as well, thanks.

Posted by
siancu
Up vote reply of siancu Down vote reply of siancu
Add a Comment

You need to exclude specifically URLs without a certifate.


More information here:


http://stackoverflow.com/questions/30720813/cfnetwork-sslhandshake-failed-ios-9-beta-1

Posted by
Stephan
Up vote reply of Stephan Down vote reply of Stephan
Add a Comment

You can find the key in this thread: https://forums.developer.apple.com/thread/4017

Posted by
Universalis
Up vote reply of Universalis Down vote reply of Universalis
Add a Comment