Home > Back-end >  SSL failing with Allow Arbitrary Loads = false
SSL failing with Allow Arbitrary Loads = false

Time:09-16

As per my requirement i should not make Allow Arbitrary Loads = true. So i set to false.

And i am allowing the trust certificate on my URLsession delegate.

My url : https://sample-app.10.names.io

code :

public func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
       //Trust the certificate even if not valid
       let urlCredential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
       completionHandler(.useCredential, urlCredential)
    }

My error :

Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,

If I make Allow Arbitrary Loads = true, then only its working. But as per my requirement i should not change to true. Any suggestion would be helpful.

Thanks

Update:

I tried this below too :

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>https://sample-app.10.names.io</key>
        <dict>
            <!--Include to allow subdomains-->
            <key>NSIncludesSubdomains</key>
            <true/>
            <!--Include to allow HTTP requests-->
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <!--Include to specify minimum TLS version-->
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
        </dict>
    </dict>
</dict>

CodePudding user response:

You can use the terminal command

nscurl --ats-diagnostics --verbose https://sample-app.10.names.io

to test your server for ATS compliance.

Doing so reveals that your server only passes when perfect forward secrecy is disabled. It would seem that your server does not support ECDHE ciphers.

You can configure ATS to ignore the perfect forward secrecy requirement by specifying NSExceptionRequiresForwardSecrecy in your ATS configuration exception domains, but really you should patch your server to use newer TLS code. Otherwise it is vulnerable to replay MITM attacks.

CodePudding user response:

If you are actively using Alamofire in your project, I suggest you use the built-in Session that can be configured to use your server trust certificate without much hassle. Here is some code on how it is setup in one of my projects.

class SessionManagerProvider {

// MARK: - State

let hosts: [String]
let disableEvaluation: Bool

// MARK: - Init

init(urls: [URL], disableEvaluation: Bool = false) {
    hosts = urls.compactMap { $0.host }
    self.disableEvaluation = disableEvaluation
}

// MARK: - Factory

func make() -> Session {
    // Configure network client with SSL pinning.
    let configuration = URLSessionConfiguration.af.default
    configuration.timeoutIntervalForRequest = Constants.Backend.timeoutIntervalForRequest
    configuration.timeoutIntervalForResource = Constants.Backend.timeoutIntervalForResource
    // Allow more connections than API requests to avoid an issue, when URLSession starts to
    // time-out requests when there are too many connections.
    configuration.httpMaximumConnectionsPerHost = Constants.maxConcurrentApiCalls * 2
    let policies = serverTrustPolicies(disableEvaluation: disableEvaluation)
    let securityManager = ServerTrustManager(evaluators: policies)
    let sessionManager = Session(configuration: configuration, serverTrustManager: securityManager)
    return sessionManager
}

private func serverTrustPolicies(disableEvaluation: Bool) -> [String: ServerTrustEvaluating] {
    var policies: [String: ServerTrustEvaluating] = [:]

    for host in hosts {
        if disableEvaluation {
            policies[host] = DisabledTrustEvaluator()
        } else {
            policies[host] = PublicKeysTrustEvaluator(
                performDefaultValidation: true,
                validateHost: true
            )
        }
    }

    return policies
}

}

  • Related