does NSAppTransportSecurity enforce port 443 usage?

Question

I have two different servers for private testers and public users.

Staging ( or test / dev ) server uses self-signed certificate WoSign.

I added this profile to testing device ( send it via email ).

Everything seems fine.

Later, Staging server moved to its new port: 943

And now I have this incorrect NSAppTransportSecurity part.

<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>example.com</key>
<dict>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSTemporaryExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>

I also tried to change NSExceptionDomains to example.com:943, but seems no changes.

<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>example.com:943</key>
<dict>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSTemporaryExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>

Security

1.1k

Posted by

gaussblurinc

Reply

Add a Comment

Answer 1

ATS ignores port numbers. Specifically:

the port number on your outgoing requests is ignored
the
```
NSExceptionDomains
```
dictionary keys don’t support port numbers

You wrote:

I also tried to change NSExceptionDomains to example.com:943, but seems no changes.

When you add a port number like this, you simply cause ATS to ‘miss’ that

NSExceptionDomains

entry, which means it hits the default entry instead. I learnt that lesson myself the hard way.

I’m not sure what’s going on with your test setup. To offer any suggestions I’d need to see some more specific details about your server.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

does NSAppTransportSecurity enforce port 443 usage?

Replies