I took my UIWebView test app, changed the ATS dictionary to set just
NSAllowsArbitraryLoadsInWebContent
, and then pointed the app at that URL. I then set a breakpoint on
-webView:didFailLoadWithError:
and printed the full error:
(lldb) po error
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={_kCFStreamErrorCodeKey=-9801,
NSLocalizedRecoverySuggestion=Would you like to connect to the
server anyway?, NSUnderlyingError=0x610000241c50 {Error
Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={NSErrorFailingURLStringKey=https://fyp.ebay.com/
EnterUserInfo?&clientapptype=16, NSLocalizedRecoverySuggestion=Would
you like to connect to the server anyway?,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9801,
_kCFStreamPropertySSLClientCertificateState=0,
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
_kCFStreamErrorDomainKey=3,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorCodeKey=-9801}},
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16,
NSErrorFailingURLStringKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorDomainKey=3}
Note the failing URL,
https://fyp.ebay.com
. So
NSAllowsArbitraryLoadsInWebContent
is working for the initial URL but failing for this one.
Poking at that server with
TLSTool
I see the following:
$ TLSTool s_client -connect fyp.ebay.com:443
* input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.0
* cipher: RSA_WITH_RC4_128_MD5
* trust result: unspecified
* certificate info:
* 0 + rsaEncryption 2048 sha256-with-rsa-signature 'fyp.ebay.com'
* 1 + rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 Secure Server CA - G4'
* 2 rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5'
^C
Oi vey! That cypher suite,
RSA_WITH_RC4_128_MD5
, is chock full of obsolete and insecure protocols (RC4, MD5, no forward secrecy).
My guess as to what’s happening here is that
NSAllowsArbitraryLoadsInWebContent
has disabled most, but not all, of the ATS checks for UIWebView. So you can load plain text sites, and sites with other problems (for example,
scgi.ebay.com
doesn’t support forward secrecy), but either RC4 or MD5 is still tripping it up. Please file a
bug about this, then post your bug number here, just for the record.
The obvious workaround would be to continue to use
NSAllowsArbitraryLoads
until this problem is resolved.
You should also contact the site owner: the level of security for that site is way below what I would expect to see on the modern Internet.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
