As per my requirement i should not make Allow Arbitrary Loads = true. So i set to false.
And i am allowing the trust certificate on my URLsession delegate.
My url : https://sample-app.10.names.io
code :
public func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
//Trust the certificate even if not valid
let urlCredential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
completionHandler(.useCredential, urlCredential)
}
My error :
Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,
If I make Allow Arbitrary Loads = true, then only its working. But as per my requirement i should not change to true. Any suggestion would be helpful.
Thanks
Update:
I tried this below too :
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>https://sample-app.10.names.io</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow HTTP requests-->
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
CodePudding user response:
You can use the terminal command
nscurl --ats-diagnostics --verbose https://sample-app.10.names.io
to test your server for ATS compliance.
Doing so reveals that your server only passes when perfect forward secrecy is disabled. It would seem that your server does not support ECDHE ciphers.
You can configure ATS to ignore the perfect forward secrecy requirement by specifying NSExceptionRequiresForwardSecrecy in your ATS configuration exception domains, but really you should patch your server to use newer TLS code. Otherwise it is vulnerable to replay MITM attacks.
CodePudding user response:
If you are actively using Alamofire in your project, I suggest you use the built-in Session that can be configured to use your server trust certificate without much hassle. Here is some code on how it is setup in one of my projects.
class SessionManagerProvider {
// MARK: - State
let hosts: [String]
let disableEvaluation: Bool
// MARK: - Init
init(urls: [URL], disableEvaluation: Bool = false) {
hosts = urls.compactMap { $0.host }
self.disableEvaluation = disableEvaluation
}
// MARK: - Factory
func make() -> Session {
// Configure network client with SSL pinning.
let configuration = URLSessionConfiguration.af.default
configuration.timeoutIntervalForRequest = Constants.Backend.timeoutIntervalForRequest
configuration.timeoutIntervalForResource = Constants.Backend.timeoutIntervalForResource
// Allow more connections than API requests to avoid an issue, when URLSession starts to
// time-out requests when there are too many connections.
configuration.httpMaximumConnectionsPerHost = Constants.maxConcurrentApiCalls * 2
let policies = serverTrustPolicies(disableEvaluation: disableEvaluation)
let securityManager = ServerTrustManager(evaluators: policies)
let sessionManager = Session(configuration: configuration, serverTrustManager: securityManager)
return sessionManager
}
private func serverTrustPolicies(disableEvaluation: Bool) -> [String: ServerTrustEvaluating] {
var policies: [String: ServerTrustEvaluating] = [:]
for host in hosts {
if disableEvaluation {
policies[host] = DisabledTrustEvaluator()
} else {
policies[host] = PublicKeysTrustEvaluator(
performDefaultValidation: true,
validateHost: true
)
}
}
return policies
}
}