-
Re: SecTrustSetPolicies not work when ATS enabled
eskimo Dec 16, 2016 3:01 AM (in response to roben)I'm using a self-signed certificate … But I find that the code is not working when ATS is turned on.
The general rule for ATS is that apps are not able to lower security beyond that specified in their ATS dictionary (the
NSAppTransportSecurity
dictionary in theInfo.plist
). So if “ATS is turned on” means what I think it means (you are building with a modern SDK, which enables ATS, and you don’t have an ATS dictionary that specifically disables ATS for your domain), this is working as expected: ATS is preventing you from lowering security beyond what’s specified in your ATS dictionary, which is exactly what it’s supposed to be doing.To make this work you’ll need to add an ATS exception that covers your server. If there are no constraints on the DNS name of your server, you’ll need to use
NSAllowsArbitraryLoads
.The weird thing is the domain verification will fail but the pure IP address will be ok.
Right. ATS is always disabled for IP address URLs.
IMPORTANT This is new in iOS 10. In iOS 9 ATS is always enabled for IP address URLs and there’s no way (other than the heavy hammer than is
NSAllowsArbitraryLoads
) to disable it.Coming back to the big picture, why are you using a self-signed certificate? Folks do this for lots of different reasons, but in most cases there’s a better approach. If you can explain more about your high-level problem, I should be able to suggest an alternative.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"