Which ATS exception keys do I use for encryption mismatch on cipher suite?

If I use TLSTool on https://3des.badssl.com it shows that the cipher suite is ECDHE_RSA_WITH_3DES_EDE_CBC_SHA. I was assuming setting NSExceptionAllowsInsecureHTTPLoads=true would make this cipher work, but it doesn't work unless I also set NSExceptionRequiresForwardSecrecy=false. This seems like what I would do if my cipher suite was something like RSA_WITH_3DES_EDE_CBC_SHA where it's not supporting PFS and the encryption method doesn't match. But then again NSExceptionRequiresForwardSecrecy is really just a way to give you access to these specific cipher suites:


  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA


So I think I'm just confused about which keys to use for different unsupported cipher suites.

Up vote post of ggggg99999 Down vote post of ggggg99999
412 views
Posted by
ggggg99999
Reply
Add a Comment

Replies

In general 

NSExceptionAllowsInsecureHTTPLoads
just enables plain HTTP loads; it does not affect the HTTPS side of things. I’m in two minds as to whether that’s correct behaviour or not, but if you have a strong opinion about this I recommend you put that in a bug report.

As to why 

NSExceptionRequiresForwardSecrecy
enables 3DES but only when 
NSExceptionAllowsInsecureHTTPLoads
is also set, yeah, that’s definitely weird. I’m not sure whether that’s intended behaviour or an artefact of the implementation. If you need a definitive answer about that, you should open a DTS tech support incident and I’ll dig into it. If not, I recommend you file a bug against the ATS documentation to get things clarified there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Ok I think I was making bad assumptions about NSExceptionAllowsInsecureHTTPLoads then because there's at least one special case where you can use it to use HTTPS with things like self-signed certs. So if a cipher suite is not in the main ATS cipher list or the non-PFS cipher list, is it not possible to use some sort of exception to use HTTPS with ATS (besides what I did in my first post)? I only tried that combination because I saw that test pass in nscurl.

Posted by
ggggg99999
Up vote reply of ggggg99999 Down vote reply of ggggg99999
Add a Comment