Question posted in Xcode
Whether you're new to Xcode or an experienced developer, our archive has everything you need to know about this integrated development environment (IDE). From basic functionalities to advanced features, our archive covers a wide range of Xcode-related questions and answers. Browse our archive now and find solutions to your Xcode questions, and take your app development skills to the next level

Xcode – SSL failing with Allow Arbitrary Loads = false

Ameret
August 17, 2021
209 views
0 votes
2 Answers

As per my requirement i should not make Allow Arbitrary Loads = true. So i set to false.

And i am allowing the trust certificate on my URLsession delegate.

My url : https://sample-app.10.names.io

code :

public func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
       //Trust the certificate even if not valid
       let urlCredential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
       completionHandler(.useCredential, urlCredential)
    }

My error :

Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,

If I make Allow Arbitrary Loads = true, then only its working. But as per my requirement i should not change to true. Any suggestion would be helpful.

Thanks

Update:

I tried this below too :

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>https://sample-app.10.names.io</key>
        <dict>
            <!--Include to allow subdomains-->
            <key>NSIncludesSubdomains</key>
            <true/>
            <!--Include to allow HTTP requests-->
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <!--Include to specify minimum TLS version-->
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
        </dict>
    </dict>
</dict>

Answers

If you are actively using Alamofire in your project, I suggest you use the built-in Session that can be configured to use your server trust certificate without much hassle. Here is some code on how it is setup in one of my projects.

class SessionManagerProvider {

// MARK: - State

let hosts: [String]
let disableEvaluation: Bool

// MARK: - Init

init(urls: [URL], disableEvaluation: Bool = false) {
    hosts = urls.compactMap { $0.host }
    self.disableEvaluation = disableEvaluation
}

// MARK: - Factory

func make() -> Session {
    // Configure network client with SSL pinning.
    let configuration = URLSessionConfiguration.af.default
    configuration.timeoutIntervalForRequest = Constants.Backend.timeoutIntervalForRequest
    configuration.timeoutIntervalForResource = Constants.Backend.timeoutIntervalForResource
    // Allow more connections than API requests to avoid an issue, when URLSession starts to
    // time-out requests when there are too many connections.
    configuration.httpMaximumConnectionsPerHost = Constants.maxConcurrentApiCalls * 2
    let policies = serverTrustPolicies(disableEvaluation: disableEvaluation)
    let securityManager = ServerTrustManager(evaluators: policies)
    let sessionManager = Session(configuration: configuration, serverTrustManager: securityManager)
    return sessionManager
}

private func serverTrustPolicies(disableEvaluation: Bool) -> [String: ServerTrustEvaluating] {
    var policies: [String: ServerTrustEvaluating] = [:]

    for host in hosts {
        if disableEvaluation {
            policies[host] = DisabledTrustEvaluator()
        } else {
            policies[host] = PublicKeysTrustEvaluator(
                performDefaultValidation: true,
                validateHost: true
            )
        }
    }

    return policies
}

}

- Paulw11
- August 17, 2021 at 12:46 pm
- 0 votes
0
You can use the terminal command

nscurl --ats-diagnostics --verbose https://sample-app.10.names.io

to test your server for ATS compliance.

Doing so reveals that your server only passes when perfect forward secrecy is disabled. It would seem that your server does not support ECDHE ciphers.

You can configure ATS to ignore the perfect forward secrecy requirement by specifying NSExceptionRequiresForwardSecrecy in your ATS configuration exception domains, but really you should patch your server to use newer TLS code. Otherwise it is vulnerable to replay MITM attacks.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.