119 Views 2 Replies
      Latest reply on Jan 13, 2017 12:18 PM by ggggg99999
      ggggg99999 Level 1 Level 1 (0 points)
      ggggg99999 Jan 12, 2017 3:43 PM

        If I use TLSTool on https://3des.badssl.com it shows that the cipher suite is ECDHE_RSA_WITH_3DES_EDE_CBC_SHA. I was assuming setting NSExceptionAllowsInsecureHTTPLoads=true would make this cipher work, but it doesn't work unless I also set NSExceptionRequiresForwardSecrecy=false. This seems like what I would do if my cipher suite was something like RSA_WITH_3DES_EDE_CBC_SHA where it's not supporting PFS and the encryption method doesn't match. But then again NSExceptionRequiresForwardSecrecy is really just a way to give you access to these specific cipher suites:

         

        • TLS_RSA_WITH_AES_256_GCM_SHA384
        • TLS_RSA_WITH_AES_128_GCM_SHA256
        • TLS_RSA_WITH_AES_256_CBC_SHA256
        • TLS_RSA_WITH_AES_256_CBC_SHA
        • TLS_RSA_WITH_AES_128_CBC_SHA256
        • TLS_RSA_WITH_AES_128_CBC_SHA

         

        So I think I'm just confused about which keys to use for different unsupported cipher suites.

        • Re: Which ATS exception keys do I use for encryption mismatch on cipher suite?
          eskimo Apple Staff Apple Staff (10,665 points)
          eskimo Jan 13, 2017 1:34 AM (in response to ggggg99999)

          In general NSExceptionAllowsInsecureHTTPLoads just enables plain HTTP loads; it does not affect the HTTPS side of things.  I’m in two minds as to whether that’s correct behaviour or not, but if you have a strong opinion about this I recommend you put that in a bug report.

          As to why NSExceptionRequiresForwardSecrecy enables 3DES but only when NSExceptionAllowsInsecureHTTPLoads is also set, yeah, that’s definitely weird.  I’m not sure whether that’s intended behaviour or an artefact of the implementation.  If you need a definitive answer about that, you should open a DTS tech support incident and I’ll dig into it.  If not, I recommend you file a bug against the ATS documentation to get things clarified there.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Which ATS exception keys do I use for encryption mismatch on cipher suite?
              ggggg99999 Level 1 Level 1 (0 points)
              ggggg99999 Jan 13, 2017 12:18 PM (in response to eskimo)

              Ok I think I was making bad assumptions about NSExceptionAllowsInsecureHTTPLoads then because there's at least one special case where you can use it to use HTTPS with things like self-signed certs. So if a cipher suite is not in the main ATS cipher list or the non-PFS cipher list, is it not possible to use some sort of exception to use HTTPS with ATS (besides what I did in my first post)? I only tried that combination because I saw that test pass in nscurl.