ATS Exceptions and iOS 10

Question

I've noticed some strange behavior with my apps running on devices with iOS 10 beta 1 & 2. I have NSAllowsArbitraryLoads set as the services are not ATS compliant yet. On iOS 9 devices, I can connect to all of my domains just fine, however, on iOS 10 I can only connect to a single domain that is ATS compliant. All other domains aren't ATS compliant and I cannot connect to them. Is this intended behavior or a bug?

Beta
iOS

7.7k

Posted by

madsolar8582

Reply

Add a Comment

Answer 1

Did you get a solution or is this resolved?

Posted by

Dvyz

Add a Comment

Answer 2

Still waiting on a reply. I've logged this as radar 27301180.

Posted by

madsolar8582

Add a Comment

Answer 3

Have you checked the certificate chain to see if SHA-1 signatures are used? If so, that's most likely why. iOS 10 is much nore strict than iOS 9, and ATS exception may not work for your specific case. I'm waiting for a confirmation on that. Try to connect to that server using a browser that allows for certificate inspection.

from the iOS 10 documenation:

The RC4 symmetric cipher suite is now disabled by default for all SSL/TLS connections, and SSLv3 is no longer supported in the Secure Transports API. It’s recommended that you stop using the SHA-1 and 3DES cryptographic algorithms as soon as possible.

regards,

Neal

Posted by

neal1

Add a Comment

Answer 4

I've attached the diagnostic information from OpenSSL, nscurl, & nmap. As far as I can tell, using NSAllowsArbitraryLoads results in PASS and I can get a TLS v1.2 connection with a modern cipher.

/usr/local/Cellar/openssl/1.0.2h_1/bin/openssl s_client -connect ambulatory.stagingcernerpowerchart.com:443 -showcerts -status 
CONNECTED(00000003)
OCSP response: no response sent
depth=3 C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=US/ST=Missouri/L=Kansas CIty/O=Cerner Corporation/CN=*.stagingcernerpowerchart.com
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
-----BEGIN CERTIFICATE-----
MIIFZDCCBEygAwIBAgIEUNVeTjANBgkqhkiG9w0BAQsFADCBujELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVudHJ1c3Qs
IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwGA1UEAxMlRW50cnVz
dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0xNTA5MTYxNDExMzNa
Fw0xNzA5MTUxNzEzMzNaMHsxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaXNzb3Vy
aTEUMBIGA1UEBxMLS2***2FzIENJdHkxGzAZBgNVBAoTEkNlcm5lciBDb3Jwb3Jh
dGlvbjEmMCQGA1UEAxQdKi5zdGFnaW5nY2VybmVycG93ZXJjaGFydC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCboF+f/MyKrnZMgsqLGHH+prSg
ZvDHunZSRBaes8bpPer+N8EqSWuAvGtksDYyNhF5Pvnm5XlJkgNLnllDv/D+x6WU
1iCcY5sCGlLBKaQQs6t3V7g/eCKhhYHTvul33dKc8GTrBmwG9mpy4yukcwhqghqi
qItC3sD2CH552YghuHcfGHG65leGeddkDwtBp6ufc47h/kE/PYGAENjdWYmhN3c/
qEQWV3hDLQAgLaPIEocIR/jP9VeIhA85PPnpsSwyeh6t5R0RS48Rc/JzBMIGviNp
g+Fo93KwWkNF94b0GUQC2iWPQrJ0kg2ON1Nx7HNkctjF0yBFsdigbfOm4vi5AgMB
AAGjggGuMIIBqjALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQv
bGV2ZWwxay5jcmwwSwYDVR0gBEQwQjA2BgpghkgBhvpsCgEFMCgwJgYIKwYBBQUH
AgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAECAjBoBggrBgEF
BQcBAQRcMFowIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMG
CCsGAQUFBzAChidodHRwOi8vYWlhLmVudHJ1c3QubmV0L2wxay1jaGFpbjI1Ni5j
ZXIwRQYDVR0RBD4wPIIdKi5zdGFnaW5nY2VybmVycG93ZXJjaGFydC5jb22CG3N0
YWdpbmdjZXJuZXJwb3dlcmNoYXJ0LmNvbTAfBgNVHSMEGDAWgBSConB03bxTP897
1PfNf6dgxgpMvzAdBgNVHQ4EFgQU2UdE2A7UffN5Yz8Nba+HyejVjRowCQYDVR0T
BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAg7nUrFlEopqJSurFSB/u4kHotDfuG3P4
f4jQ6Dmfpx7oMxweu7y01jl7q73//0tj/sm3oNBGH8iqRxcalKKpxkmxRQenm+5k
au5cgAt4nOhzVMsVovzBaeyf7ej291TlUfiQznq0e7UT/FCv6suF8eT5k4GIFR9X
ImRB/bUN/fSJs0Ocxzq15ZK2VEQMQmUQl9gGOBTR3GWlswWZGMyDwq6sGes7fYa4
aTIILmGSHpfKtYA0tyJZd9w+OIwX5dO1z2IQ3hhvUo9IaB+Q0FG1WiF05ZdERYje
aVPhxbnKmzRb3eH/tLldkhWB1qY3AGHi9iKZdoGenSfRNd5uuoWMzg==
-----END CERTIFICATE-----
1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE-----
MIIFAzCCA+ugAwIBAgIEUdNg7jANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMTQxMDIyMTcw
NTE0WhcNMjQxMDIzMDczMzIyWjCBujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
dGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
aG9yaXplZCB1c2Ugb25seTEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eSAtIEwxSzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANo/ltBNuS9E59s5XptQ7lylYdpBZ1MJqgCajld/KWvbx+EhJKo60I1HI9Ltchbw
kSHSXbe4S6iDj7eRMmjPziWTLLJ9l8j+wbQXugmeA5CTe3xJgyJoipveR8MxmHou
fUAL0u8+07KMqo9Iqf8A6ClYBve2k1qUcyYmrVgO5UK41epzeWRoUyW4hM+Ueq4G
RQyja03Qxr7qGKQ28JKyuhyIjzpSf/debYMcnfAf5cPW3aV4kj2wbSzqyc+UQRlx
RGi6RzwE6V26PvA19xW2nvIuFR4/R8jIOKdzRV1NsDuxjhcpN+rdBQEiu5Q2Ko1b
Nf5TGS8IRsEqsxpiHU4r2RsCAwEAAaOCAQkwggEFMA4GA1UdDwEB/wQEAwIBBjAP
BgNVHRMECDAGAQH/AgEAMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0
cDovL29jc3AuZW50cnVzdC5uZXQwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL2Ny
bC5lbnRydXN0Lm5ldC9nMmNhLmNybDA7BgNVHSAENDAyMDAGBFUdIAAwKDAmBggr
BgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwHQYDVR0OBBYEFIKi
cHTdvFM/z3vU981/p2DGCky/MB8GA1UdIwQYMBaAFGpyJnrQHu995ztpUdRsjZ+Q
EmarMA0GCSqGSIb3DQEBCwUAA4IBAQA/HBpb/0AiHY81DC2qmSerwBEycNc2KGml
jbEnmUK+xJPrSFdDcSPE5U6trkNvknbFGe/KvG9CTBaahqkEOMdl8PUM4ErfovrO
GhGonGkvG9/q4jLzzky8RgzAiYDRh2uiz2vUf/31YFJnV6Bt0WRBFG00Yu0GbCTy
BrwoAq8DLcIzBfvLqhboZRBD9Wlc44FYmc1r07jHexlVyUDOeVW4c4npXEBmQxJ/
B7hlVtWNw6f1sbZlnsCDNn8WRTx0S5OKPPEr9TVwc3vnggSxGJgO1JxvGvz8pzOl
u7sY82t6XTKH920l5OJ2hiEeEUbNdg5vT6QhcQqEpy02qUgiUX6C
-----END CERTIFICATE-----
2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
-----BEGIN CERTIFICATE-----
MIIE/zCCA+egAwIBAgIEUdNARDANBgkqhkiG9w0BAQsFADCBsDELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE0MDkyMjE3MTQ1N1oXDTI0MDkyMzAx
MzE1M1owgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgw
JgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQL
EzAoYykgMjAwOSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9u
bHkxMjAwBgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoS2ctueDGvi
mekwAad26jK4lUEaydphTlhyz/72gnm/c2EGCqUn2LNf00VOHHLWTjLycooP94MZ
0GqAgABFHrDH55q/ElcnHKNoLwqHvWprDl5l8xx31dSFjXAhtLMy54ui1YY5ArG4
0kfO5MlJxDun3vtUfVe+8OhuwnmyOgtV4lCYFjITXC94VsHClLPyWuQnmp8k18bs
0JslguPMwsRFxYyXegZrKhGfqQpuSDtv29QRGUL3jwe/9VNfnD70FyzmaaxOMkxi
d+q36OW7NLwZi66cUee3frVTsTMi5W3PcDwa+uKbZ7aD9I2lr2JMTeBYrGQ0EgP4
to2UYySkcQIDAQABo4IBDzCCAQswDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQI
MAYBAf8CAQEwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2Nz
cC5lbnRydXN0Lm5ldDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1
c3QubmV0L3Jvb3RjYTEuY3JsMDsGA1UdIAQ0MDIwMAYEVR0gADAoMCYGCCsGAQUF
BwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NQUzAdBgNVHQ4EFgQUanImetAe
733nO2lR1GyNn5ASZqswHwYDVR0jBBgwFoAUaJDkZ6SmU4DHhmak8fdLQ/uEvW0w
DQYJKoZIhvcNAQELBQADggEBAGkzg/woem99751V68U+ep11s8zDODbZNKIoaBjq
HmnTvefQd9q4AINOSs9v0fHBIj905PeYSZ6btp7h25h3LVY0sag82f3Azce/BQPU
AsXx5cbaCKUTx2IjEdFhMB1ghEXveajGJpOkt800uGnFE/aRs8lFc3a2kvZ2Clvh
A0e36SlMkTIjN0qcNdh4/R0f5IOJJICtt/nP5F2l1HHEhVtwH9s/HAHrGkUmMRTM
Zb9n3srMM2XlQZHXN75BGpad5oqXnafOrE6aPb0BoGrZTyIAi0TVaWJ7LuvMuueS
fWlnPfy4fN5Bh9Bp6roKGHoalUOzeXEodm2h+1dK7E3IDhA=
-----END CERTIFICATE-----
3 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
-----BEGIN CERTIFICATE-----
MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0MloXDTI2MTEyNzIw
NTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkw
NwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSBy
ZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNV
BAMTJEVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALaVtkNC+sZtKm9I35RMOVcF7sN5EUFo
Nu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYszA9u3g3s+IIRe7bJWKKf4
4LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOwwCj0Yzfv9
KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGI
rb68j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi
94DkZfs0Nw4pgHBNrziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOB
sDCBrTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAi
gA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1MzQyWjAfBgNVHSMEGDAWgBRo
kORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DHhmak8fdLQ/uE
vW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA
A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9t
O1KzKtvn1ISMY/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6Zua
AGAT/3B+XxFNSRuzFVJ7yVTav52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP
9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTSW3iDVuycNsMm4hH2Z0kdkquM++v/
eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m
0vdXcDazv/wor3ElhVsT/h5/WrQ8
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Missouri/L=Kansas CIty/O=Cerner Corporation/CN=*.stagingcernerpowerchart.com
issuer=/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
---
No client certificate CA names sent
---
SSL handshake has read 5321 bytes and written 659 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA
    Session-ID: A14B43981D768D8D57DE6DEA6742989D89A03E23313007AA70EE2A9119941800
    Session-ID-ctx:
    Master-Key: FD8B0AC4FC55793B33CA2CC805721F0D03A5863FE6FF712C7F25320D10D319D8DD3A5CA2D95D6686539F6DEE618504CB
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1469041087
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

Starting ATS Diagnostics

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://amb.stagingcernerpowerchart.com/.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================

Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
2016-07-20 08:57:46.647 nscurl[13696:73902] CFNetwork SSLHandshake failed (-9824)
2016-07-20 08:57:46.647 nscurl[13696:73902] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7f9ac1d15330 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://amb.stagingcernerpowerchart.com/, NSErrorFailingURLStringKey=https://amb.stagingcernerpowerchart.com/, _kCFStreamErrorDomainKey=3}
---

================================================================================

Allowing Arbitrary Loads

---
Allow All Loads
ATS Dictionary:
{
    NSAllowsArbitraryLoads = true;
}
Result : PASS
---

================================================================================

Configuring TLS exceptions for amb.stagingcernerpowerchart.com

---
TLSv1.2
ATS Dictionary:
{
    NSExceptionDomains =     {
        "amb.stagingcernerpowerchart.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
        };
    };
}
2016-07-20 08:57:46.775 nscurl[13696:73902] CFNetwork SSLHandshake failed (-9824)
2016-07-20 08:57:46.776 nscurl[13696:73902] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7f9ac4200a70 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://amb.stagingcernerpowerchart.com/, NSErrorFailingURLStringKey=https://amb.stagingcernerpowerchart.com/, _kCFStreamErrorDomainKey=3}
---

---
TLSv1.1
ATS Dictionary:
{
    NSExceptionDomains =     {
        "amb.stagingcernerpowerchart.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.1";
        };
    };
}
2016-07-20 08:57:46.791 nscurl[13696:73902] CFNetwork SSLHandshake failed (-9824)
2016-07-20 08:57:46.792 nscurl[13696:73902] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7f9ac1d156a0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://amb.stagingcernerpowerchart.com/, NSErrorFailingURLStringKey=https://amb.stagingcernerpowerchart.com/, _kCFStreamErrorDomainKey=3}
---

---
TLSv1.0
ATS Dictionary:
{
    NSExceptionDomains =     {
        "amb.stagingcernerpowerchart.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
        };
    };
}
2016-07-20 08:57:46.805 nscurl[13696:73902] CFNetwork SSLHandshake failed (-9824)
2016-07-20 08:57:46.806 nscurl[13696:73902] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7f9ac4300080 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://amb.stagingcernerpowerchart.com/, NSErrorFailingURLStringKey=https://amb.stagingcernerpowerchart.com/, _kCFStreamErrorDomainKey=3}
---

================================================================================

Configuring PFS exceptions for amb.stagingcernerpowerchart.com

---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
    NSExceptionDomains =     {
        "amb.stagingcernerpowerchart.com" =         {
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

Configuring PFS exceptions and allowing insecure HTTP for amb.stagingcernerpowerchart.com

---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
    NSExceptionDomains =     {
        "amb.stagingcernerpowerchart.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

Configuring TLS exceptions with PFS disabled for amb.stagingcernerpowerchart.com

---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "amb.stagingcernerpowerchart.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "amb.stagingcernerpowerchart.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.1";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "amb.stagingcernerpowerchart.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for amb.stagingcernerpowerchart.com

---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "amb.stagingcernerpowerchart.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.2";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "amb.stagingcernerpowerchart.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.1";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "amb.stagingcernerpowerchart.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.0";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-20 12:24 CDT
Nmap scan report for amb.stagingcernerpowerchart.com (***.***.***.***)
Host is up (0.020s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: C

Posted by

madsolar8582

Add a Comment

Answer 5

Also try connecting to the service in question via the safari browser on your iOS 10 device. Compare that to connecting to other non-ATS compliant services and see if there's a difference. I'm almost 100% certain that your service's CA root certificate is using a weak signature algorithm for which there's no ATS exception that can be added.

Regards,

Neal

Posted by

neal1

Add a Comment

Answer 6

I'm waiting for my post to be moderated with the diagnostic information; hopefully it'll be available soon.

Posted by

madsolar8582

Add a Comment

Answer 7

Based on some additional testing, we've moved a test URL to a newer BIG-IP device and we're able to connect. However, I still beleive that our current setup should be working based on the information above.

Posted by

madsolar8582

Add a Comment

Answer 8

Your post is being moderated because of the diagnostics info? Same here.

Posted by

neal1

Add a Comment

Answer 9

I am facing a similar issue . We have a ATS non- compliant service that uses weak SHA-1 and when I access it on iOS 10 device via Safari it says "The network connection has lost" . As the service work fine on iOS 9 , I am still looking for any ATS exception (if any) that can be added to make it work. Did you find any reference or further communication from Apple on this issue ?

Further Analysis :

In iOS 8,9, after the first authentication challenge, and the Domain Controller responds with the Type2 message, the client request has a header value of:

Authorization=NTLM TlRMTVNTUAADAAAAGAAYAEAAAABgAGAAWAAAAAAAAAAAAAAAEAAQALgAAAAsACwAyAAAAAAAAAAAAAAABQIIAHjqT1BJj67CeqSEIDKHvtud0JTQdLB2LMamd/2gaLPzdopcCIMVV+wBAQAAAAAAAABnjhiQGtIBndCU0HSwdiwAAAAAAgAIAEEATQBFAFIAAQAcAEoAQwBJAEYAUwAyADUANABfADUANABfAEYAMgAAAAAAAAAAAGMAaABoAGEAYgBwADAANABDAEgASABBAEIAUgBBAC0AUABJAFkAVQBTAEgAcwAtAGkAUABoAG8AbgBlAA== The user is then successfully authenticated in this case.

Whereas , In iOS 10, after the first challenge, and the Domain Controller responds with the Type2 message, the client request has a header value of: Authorization=NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= The authentication challenge again restarts because of insufficient information and the handshake does not complete and the connection fails.

Posted by

piyushchhabra

Add a Comment

ATS Exceptions and iOS 10

Replies