skip to Main Content

As per my requirement i should not make Allow Arbitrary Loads = true. So i set to false.

And i am allowing the trust certificate on my URLsession delegate.

My url : https://sample-app.10.names.io

code :

public func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
       //Trust the certificate even if not valid
       let urlCredential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
       completionHandler(.useCredential, urlCredential)
    }

My error :

Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,

If I make Allow Arbitrary Loads = true, then only its working. But as per my requirement i should not change to true. Any suggestion would be helpful.

Thanks

Update:

I tried this below too :

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>https://sample-app.10.names.io</key>
        <dict>
            <!--Include to allow subdomains-->
            <key>NSIncludesSubdomains</key>
            <true/>
            <!--Include to allow HTTP requests-->
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <!--Include to specify minimum TLS version-->
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
        </dict>
    </dict>
</dict>

2

Answers


  1. If you are actively using Alamofire in your project, I suggest you use the built-in Session that can be configured to use your server trust certificate without much hassle. Here is some code on how it is setup in one of my projects.

    class SessionManagerProvider {
    
    // MARK: - State
    
    let hosts: [String]
    let disableEvaluation: Bool
    
    // MARK: - Init
    
    init(urls: [URL], disableEvaluation: Bool = false) {
        hosts = urls.compactMap { $0.host }
        self.disableEvaluation = disableEvaluation
    }
    
    // MARK: - Factory
    
    func make() -> Session {
        // Configure network client with SSL pinning.
        let configuration = URLSessionConfiguration.af.default
        configuration.timeoutIntervalForRequest = Constants.Backend.timeoutIntervalForRequest
        configuration.timeoutIntervalForResource = Constants.Backend.timeoutIntervalForResource
        // Allow more connections than API requests to avoid an issue, when URLSession starts to
        // time-out requests when there are too many connections.
        configuration.httpMaximumConnectionsPerHost = Constants.maxConcurrentApiCalls * 2
        let policies = serverTrustPolicies(disableEvaluation: disableEvaluation)
        let securityManager = ServerTrustManager(evaluators: policies)
        let sessionManager = Session(configuration: configuration, serverTrustManager: securityManager)
        return sessionManager
    }
    
    private func serverTrustPolicies(disableEvaluation: Bool) -> [String: ServerTrustEvaluating] {
        var policies: [String: ServerTrustEvaluating] = [:]
    
        for host in hosts {
            if disableEvaluation {
                policies[host] = DisabledTrustEvaluator()
            } else {
                policies[host] = PublicKeysTrustEvaluator(
                    performDefaultValidation: true,
                    validateHost: true
                )
            }
        }
    
        return policies
    }
    

    }

    Login or Signup to reply.
  2. You can use the terminal command

    nscurl --ats-diagnostics --verbose https://sample-app.10.names.io

    to test your server for ATS compliance.

    Doing so reveals that your server only passes when perfect forward secrecy is disabled. It would seem that your server does not support ECDHE ciphers.

    You can configure ATS to ignore the perfect forward secrecy requirement by specifying NSExceptionRequiresForwardSecrecy in your ATS configuration exception domains, but really you should patch your server to use newer TLS code. Otherwise it is vulnerable to replay MITM attacks.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search