iOS 9 ATS SSL error with supporting server

Question

I installed Xcode 7 and tried running my app under iOS 9. I\'m getting the infamous error: Connection failed! Error - -1200 An SSL error has occurred and a secure conn

Answer 1

Apple has released the full requirements list for the App Transport Security.

Turned out that we were working with TLS v1.2 but were missing some of the other requirements.

Here's the full check list:

1. TLS requires at least version 1.2.
2. Connection ciphers are limited to those that provide forward secrecy (see below for the list of ciphers.)
3. The service requires a certificate using at least a SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key.
4. Invalid certificates result in a hard failure and no connection.

The accepted ciphers are:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Answer 2

In iOS9, Apple added new feature called App Transport Security(ATS).

ATS enforces best practices during network calls, including the use of HTTPS.

Apple Pre-release documentation:

ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.

Add Below key in your info.plist & then see.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Even you can add specific exception,

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <false/>
            <key>NSExceptionAllowInsecureHTTPSLoads</key>
            <false/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowInsecureHTTPSLoads</key>
            <false/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSRequiresCertificateTransparency</key>
            <false/>
        </dict>

        ...

    </dict>
</dict>

Answer 3

With iOS9, I had a same issue: while SSLlab result showed no issues with protocols / ciphers on my server, a connection to one specific URL failed on an iPad running iOS/9.3.5 with an SSL-Error:

Connection cannot be established.

My stupid mistake was, that I had a redirect, i.e. in NGINX (and similar in Apache):

rewrite /calendar     $scheme://www.example.org/resources/calendar;

If the user accessed /calender by setting:

https://example.org/calendar

the server redirected to another domain breaking the establishment of the SSL-connection.

Setting the redirect as follows fixed it:

rewrite /calendar     $scheme://$server_name/resources/calendar;

Answer 4

Check out this doc that apple provided.

I had a similar issue at runtime on iOS 9 and what I did to fix it was added the NSAppTransportSecurity Dictionary to my info.plist file with the NSAllowsArbitraryLoads Bool set to true and after cleaning and rebuilding it worked.

I hope this helps!

Answer 5

For me proxy was blocking try to use internet from different source will resolve issue. Wifi, Lan, etc.