make an application which will communicate seamlessly over HTTPS with multiple servers.

Hi

Im trying to make an app which will communicate with our multiple servers over HTTPS I'm using my company's own Root CA which is bundled in our app and ATS fully enabled (NSAllowsArbitraryLoads set to False).



On network request I’m receiving an error (below) using TLSTool (--ats-diagnostics) to test the connection and reaching the following error (same as when running the app):


```

Default ATS Secure Connection

ATS Default Connection

ATS Dictionary:

{

}

2019-04-23 12:18:18.450 nscurl[34429:2491536] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(

"<cert(0x7fa197833200) s: IT i: IT>"

), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=<MY URL>, NSErrorFailingURLStringKey=<MY URL>, NSUnderlyingError=0x7fa196c2ad30 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fa196d1db50>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(

"<cert(0x7fa197833200) s: IT i: IT>"

)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(

"LocalDataTask <75AEFFA7-BCF1-46C8-86E7-85E7A806A39D>.<1>"

), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <75AEFFA7-BCF1-46C8-86E7-85E7A806A39D>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fa196d1db50>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

```



When Root CA Certificate is installed and trusted on the device then HTTPS communication with ATS enabled works without any error. But I don't want user to manually install and trust the Root CA on the device.

I can’t allow an exception on specific domain since the app will be connected to multiple servers with the same certificate

I want to upload the app to the App Store and don’t want to have an exception to all connections (NSAllowsArbitraryLoads set to true)

Replies

But I don't want user to manually install and trust the Root CA on the device.

The best solution here depends on your deployment environment:

  • If you’re building an app for a managed environment — and, specifically, for deployment to the organisation that issued this root CA — you should push the root CA via MDM.

  • If you’re building an app for wide deployment, you should configure your servers to use a system-trusted certificate (that is, a certificate issued by a system-trusted CA). These days this is both cheap and easy (with “cheap” being “free” in at some cases).

If you’re unable to implement either of the above, you are going to need App Transport Security (ATS) exceptions. ATS imposes a number of security requirements above and beyond the standard RFC 2818-style TLS server trust evaluation done by default, and one of those requirements is that the certificate must be issued by a system-trusted CA. If you need to connect to a server whose certificate is issued by a custom CA, and you can’t adopt one of the approaches above, you must disable ATS for the domain you’re connecting to.

That’s not the end of this however. You must also override the standard TLS server trust evaluation to trust your custom CA. How you do this depends on the API you’re using. Technote 2232 HTTPS Server Trust Evaluation has a reasonable summary.

Note For some APIs it’s simply not possible to override TLS server trust evaluation, which is one of the reasons my recommended approaches don’t require this.

WARNING If you incorrectly override your TLS server trust evaluation, you can default some or all of the security provided by TLS. This is another reason why I recommend an ATS-compatible approach.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"