If IOS9 allows TLS1.0 exception then doesn't this automatically relax the SHA-256 restraint?

It's noted in https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/ that SDK9 will not allow SHA-256 certs or above. But also there is a TLS1.1 and under exeption process.

NSExceptionMinimumTLSVersion. Since only the TLS1.2 protocol can use a SHA-256 cert while the lower versions can't, doesn't the use of this exception allow the developers use the SHA-1 certs? If so, the message below seems conflicting and requires an exception of SHA-1 cert message as well.


"Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key. Invalid certificates result in a hard failure and no connection."

Replies

I’m confused: why do you think that TLS 1.0 doesn’t support SHA2/256 certificates. Remember that is not the TLS cypher suite we’re talking about, but the signature hash algorithm within the certificate itself.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for getting back Eskimo. Let me refine my question.


Let's forget about the cipher suites. Does IOS9, built with SDK9, provide exceptions to use SHA-1 certs like the exception process for TLS1.0? From the technote, it sounds like the answer is NO but I wanted to reconfirm to avoid any misinterpretations.


Thanks

Does iOS9, built with SDK9, provide exceptions to use SHA-1 certs like the exception process for TLS1.0?

Yes, and no (-:

  • Yes, in that you can disable ATS entirely for a domain using

    NSExceptionAllowsInsecureHTTPLoads
    .
  • No, in that this is not a particularly good solution. It doesn’t specifically undermine your security—things are still as secure as they were on iOS 8—but it runs counter to ATS’s goals.

  • And again yes, as described in this thread.

  • And again no, per my comments in that thread.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


Can you please verify if NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey= is an error related to the failure related with the 3 ATS requirements(TLS1.2, forward secrecy, or SHA-256)? Or is there a list of error commands that I can refer to to investigate the cause of the error connection?

NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.

That is a general error that’s intended to be displayed to users. It’s returned if TLS server trust evaluation fails for any reason.

Or is there a list of error commands that I can refer to to investigate the cause of the error connection?

In most cases you’ll find, nested within an error like this, a Secure Transport error code (-98xx). You can find a list of those in.

However, in many cases those errors are very generic. For example,

errSSLXCertChainInvalid
simply means that TLS server trust evaluation failed. Technote 2232 HTTPS Server Trust Evaluation discusses the most common cause of these failures and gives a pointer, in the Investigating Hard-To-Debug Trust Evaluation Failures section, to techniques you can use to debug the less common ones.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the fast response Eskimo. I have another question. I'm trying to bypass the ATS from a list of domains. Can you please verify that this snippet below would allow me to bypass the ATS for all the content from *.mysite.com URLs?



<key>NSAppTransportSecurity</key>

<dict>

<key>NSExceptionDomains</key>

<dict>

<key>*.mysite </key>

<dict>

<key>

NSExceptionAllowsInsecureHTTPLoads
</key>

<false/>

<key>NSIncludesSubdomains</key>

<true/>

</dict>

</dict>

</dict>

Can you please verify that this snippet below would allow me to bypass the ATS for all the content from *.mysite.com URLs?

That’s not right, alas. There's three problems with the key you use within

NSExceptionDomains
(
*.mysite
)…
  • NSExceptionDomains
    does not support “*”
  • you need the trailing

    .com
  • there seems to be a rogue space in there

So, you should replace

*.mysite
with
mysite.com
. Once you do that, the exception will apply to
mysite.com
and all domains within
mysite.com
.

In addition, within your exception you’ve set

NSExceptionAllowsInsecureHTTPLoads
to false when you should set it to true.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

@Eskimo,


Love your deep diving endeavors to actually dig into the code. Great customer service. Per your advice, I've modified the code. Can you verify is the code under would allow my app to bypass all the ATS requirements(TLS1.2, SHA-256, and forward secrecy) for the domain+subdomains for mysite.net? And just to be clear, this would still restrict the contents to be allowed only using HTTPS?


Thanks!!


<key>NSAppTransportSecurity</key>

<dict>

<key>NSExceptionDomains</key>

<dict>

<key>mysite.net</key>

<dict>

<key>NSIncludesSubdomains</key>

<true/>

</dict>

</dict>

</dict>

Can you verify is the code under would allow my app to bypass all the ATS requirements(TLS1.2, SHA-256, and forward secrecy) for the domain+subdomains for mysite.net?

That’s still not right. In addition to

NSIncludesSubdomains
you will also need
NSExceptionAllowsInsecureHTTPLoads
set to true.

And just to be clear, this would still restrict the contents to be allowed only using HTTPS?

NSExceptionAllowsInsecureHTTPLoads
allows you to use either HTTP and HTTPS for the specified domains.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"