NSExceptionAllowsInsecureHTTPLoadsjust enables plain HTTP loads; it does not affect the HTTPS side of things. I’m in two minds as to whether that’s correct behaviour or not, but if you have a strong opinion about this I recommend you put that in a bug report.
As to why
NSExceptionRequiresForwardSecrecyenables 3DES but only when
NSExceptionAllowsInsecureHTTPLoadsis also set, yeah, that’s definitely weird. I’m not sure whether that’s intended behaviour or an artefact of the implementation. If you need a definitive answer about that, you should open a DTS tech support incident and I’ll dig into it. If not, I recommend you file a bug against the ATS documentation to get things clarified there.
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
Ok I think I was making bad assumptions about NSExceptionAllowsInsecureHTTPLoads then because there's at least one special case where you can use it to use HTTPS with things like self-signed certs. So if a cipher suite is not in the main ATS cipher list or the non-PFS cipher list, is it not possible to use some sort of exception to use HTTPS with ATS (besides what I did in my first post)? I only tried that combination because I saw that test pass in nscurl.