9 Replies
      Latest reply on Sep 18, 2015 1:18 AM by eskimo
      snuka Level 1 Level 1 (0 points)

        It's noted in https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/ that SDK9 will not allow SHA-256 certs or above. But also there is a TLS1.1 and under exeption process. NSExceptionMinimumTLSVersion. Since only the TLS1.2 protocol can use a SHA-256 cert while the lower versions can't, doesn't the use of this exception allow the developers use the SHA-1 certs? If so, the message below seems conflicting and requires an exception of SHA-1 cert message as well.

         

        "Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key. Invalid certificates result in a hard failure and no connection."

        • Re: If IOS9 allows TLS1.0 exception then doesn't this automatically relax the SHA-256 restraint?
          eskimo Apple Staff Apple Staff (11,265 points)

          I’m confused: why do you think that TLS 1.0 doesn’t support SHA2/256 certificates.  Remember that is not the TLS cypher suite we’re talking about, but the signature hash algorithm within the certificate itself.

          Share and Enjoy

          Quinn "The Eskimo!"
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: If IOS9 allows TLS1.0 exception then doesn't this automatically relax the SHA-256 restraint?
              snuka Level 1 Level 1 (0 points)

              Thanks for getting back Eskimo. Let me refine my question.

               

              Let's forget about the cipher suites. Does IOS9, built with SDK9, provide exceptions to use SHA-1 certs like the exception process for TLS1.0? From the technote, it sounds like the answer is NO but I wanted to reconfirm to avoid any misinterpretations.

               

              Thanks

                • Re: If IOS9 allows TLS1.0 exception then doesn't this automatically relax the SHA-256 restraint?
                  eskimo Apple Staff Apple Staff (11,265 points)

                  Does iOS9, built with SDK9, provide exceptions to use SHA-1 certs like the exception process for TLS1.0?

                  Yes, and no (-:

                  • Yes, in that you can disable ATS entirely for a domain using NSExceptionAllowsInsecureHTTPLoads.

                  • No, in that this is not a particularly good solution.  It doesn’t specifically undermine your security—things are still as secure as they were on iOS 8—but it runs counter to ATS’s goals.

                  • And again yes, as described in this thread.

                  • And again no, per my comments in that thread.

                  Share and Enjoy

                  Quinn "The Eskimo!"
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: If IOS9 allows TLS1.0 exception then doesn't this automatically relax the SHA-256 restraint?
                      snuka Level 1 Level 1 (0 points)

                      Hi Eskimo,

                       

                      Can you please verify if NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey= is an error related to the failure related with the 3 ATS requirements(TLS1.2, forward secrecy, or SHA-256)? Or is there a list of error commands that I can refer to to investigate the cause of the error connection?

                        • Re: If IOS9 allows TLS1.0 exception then doesn't this automatically relax the SHA-256 restraint?
                          eskimo Apple Staff Apple Staff (11,265 points)

                          NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.

                          That is a general error that’s intended to be displayed to users.  It’s returned if TLS server trust evaluation fails for any reason.

                          Or is there a list of error commands that I can refer to to investigate the cause of the error connection?

                          In most cases you’ll find, nested within an error like this, a Secure Transport error code (-98xx).  You can find a list of those in.

                          However, in many cases those errors are very generic.  For example, errSSLXCertChainInvalid simply means that TLS server trust evaluation failed.  Technote 2232 HTTPS Server Trust Evaluation discusses the most common cause of these failures and gives a pointer, in the Investigating Hard-To-Debug Trust Evaluation Failures section, to techniques you can use to debug the less common ones.

                          Share and Enjoy

                          Quinn "The Eskimo!"
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                            • Re: If IOS9 allows TLS1.0 exception then doesn't this automatically relax the SHA-256 restraint?
                              snuka Level 1 Level 1 (0 points)

                              Thanks for the fast response Eskimo. I have another question. I'm trying to bypass the ATS from a list of domains. Can you please verify that this snippet below would allow me to bypass the ATS for all the content from *.mysite.com URLs?

                               

                               

                              <key>NSAppTransportSecurity</key>

                              <dict>

                                    <key>NSExceptionDomains</key>

                                    <dict>

                                          <key>*.mysite </key>

                                          <dict>

                                                <key>NSExceptionAllowsInsecureHTTPLoads</key>

                                                <false/>

                                                <key>NSIncludesSubdomains</key>

                                                <true/>

                                          </dict>

                                    </dict>

                              </dict>

                                • Re: If IOS9 allows TLS1.0 exception then doesn't this automatically relax the SHA-256 restraint?
                                  eskimo Apple Staff Apple Staff (11,265 points)

                                  Can you please verify that this snippet below would allow me to bypass the ATS for all the content from *.mysite.com URLs?

                                  That’s not right, alas.  There's three problems with the key you use within NSExceptionDomains (*.mysite)…

                                  • NSExceptionDomains does not support “*”

                                  • you need the trailing .com

                                  • there seems to be a rogue space in there

                                  So, you should replace *.mysite with mysite.com.  Once you do that, the exception will apply to mysite.com and all domains within mysite.com.

                                  In addition, within your exception you’ve set NSExceptionAllowsInsecureHTTPLoads to false when you should set it to true.

                                  Share and Enjoy

                                  Quinn "The Eskimo!"
                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                  let myEmail = "eskimo" + "1" + "@apple.com"

                                    • Re: If IOS9 allows TLS1.0 exception then doesn't this automatically relax the SHA-256 restraint?
                                      snuka Level 1 Level 1 (0 points)

                                      @Eskimo,

                                       

                                      Love your deep diving endeavors to actually dig into the code. Great customer service. Per your advice, I've modified the code. Can you verify is the code under would allow my app to bypass all the ATS requirements(TLS1.2, SHA-256, and forward secrecy) for the domain+subdomains for mysite.net? And just to be clear, this would still restrict the contents to be allowed only using HTTPS?

                                       

                                      Thanks!!

                                       

                                      <key>NSAppTransportSecurity</key>

                                      <dict>

                                            <key>NSExceptionDomains</key>

                                            <dict>

                                                  <key>mysite.net</key>

                                                  <dict>

                                                        <key>NSIncludesSubdomains</key>

                                                        <true/>

                                                  </dict>

                                            </dict>

                                      </dict>

                                        • Re: If IOS9 allows TLS1.0 exception then doesn't this automatically relax the SHA-256 restraint?
                                          eskimo Apple Staff Apple Staff (11,265 points)

                                          Can you verify is the code under would allow my app to bypass all the ATS requirements(TLS1.2, SHA-256, and forward secrecy) for the domain+subdomains for mysite.net?

                                          That’s still not right.  In addition to NSIncludesSubdomains you will also need NSExceptionAllowsInsecureHTTPLoads set to true.

                                          And just to be clear, this would still restrict the contents to be allowed only using HTTPS?

                                          NSExceptionAllowsInsecureHTTPLoads allows you to use either HTTP and HTTPS for the specified domains.

                                          Share and Enjoy

                                          Quinn "The Eskimo!"
                                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                          let myEmail = "eskimo" + "1" + "@apple.com"