iOS9 Forward Secrecy / App Transport Security

Hi all,

I have created an App using Cordova / AngularJS and then created an iOS version using XCode.

All was fine and I was on the point of beginning beta testing with a preselected group of volunteers,

but then Apple released iOS9 and now my App refuses to connect to my server to load any data.

I have researched as much as I can and read up on Forward Secrecy and App Transport Security.

The team who manage our servers have enabled forward secrecy and so on our app server but my app still does not work.

Recently I managed to upgrade my Macbook to El Capitain and ran the new nscurl tool.

/usr/bin/nscurl --ats-diagnostics https://mobileapp.tuskerdirect.com

Here’s the output of that test.

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https:/

A test will β€œPASS” if URLSession:task:didCompleteWithError: returns a nil error.

================================================================================

Default ATS Secure Connection


ATS Default Connection

ATS Dictionary:

{

}

2015-11-09 09:57:03.925 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:03.926 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6daf04110 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}


================================================================================

Allowing Arbitrary Loads


Allow All Loads

ATS Dictionary:

{

NSAllowsArbitraryLoads = true;

}

2015-11-09 09:57:03.988 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.058 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.113 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.114 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dae057a0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}


================================================================================

Configuring TLS exceptions for mobileapp.tuskerdirect.com


TLSv1.2

ATS Dictionary:

{

NSExceptionDomains =     {

    "mobileapp.tuskerdirect.com" =         {

        NSExceptionMinimumTLSVersion = "TLSv1.2";

    };

};

}

2015-11-09 09:57:04.175 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.176 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dac34880 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}



TLSv1.1

ATS Dictionary:

{

NSExceptionDomains =     {

    "mobileapp.tuskerdirect.com" =         {

        NSExceptionMinimumTLSVersion = "TLSv1.1";

    };

};

}

2015-11-09 09:57:04.237 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.238 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dae0a2e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}



TLSv1.0

ATS Dictionary:

{

NSExceptionDomains =     {

    "mobileapp.tuskerdirect.com" =         {

        NSExceptionMinimumTLSVersion = "TLSv1.0";

    };

};

}

2015-11-09 09:57:04.289 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.289 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dac2d7a0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}


================================================================================

Configuring PFS exceptions for mobileapp.tuskerdirect.com


Disabling Perfect Forward Secrecy

ATS Dictionary:

{

NSExceptionDomains =     {

    "mobileapp.tuskerdirect.com" =         {

        NSExceptionRequiresForwardSecrecy = false;

    };

};

}

2015-11-09 09:57:04.347 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.348 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dac38280 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/


================================================================================

Configuring PFS exceptions and allowing insecure HTTP for mobileapp.tuskerdirect.com


Disabling Perfect Forward Secrecy and Allowing Insecure HTTP

ATS Dictionary:

{

NSExceptionDomains =     {

    "mobileapp.tuskerdirect.com" =         {

        NSExceptionAllowsInsecureHTTPLoads = true;

        NSExceptionRequiresForwardSecrecy = false;

    };

};

}

2015-11-09 09:57:04.420 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.475 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.547 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.547 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dad528f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}


================================================================================

Configuring TLS exceptions with PFS disabled for mobileapp.tuskerdirect.com


TLSv1.2 with PFS disabled

ATS Dictionary:

{

NSExceptionDomains =     {

    "mobileapp.tuskerdirect.com" =         {

        NSExceptionMinimumTLSVersion = "TLSv1.2";

        NSExceptionRequiresForwardSecrecy = false;

    };

};

}

2015-11-09 09:57:04.607 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.608 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dac31650 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}



TLSv1.1 with PFS disabled

ATS Dictionary:

{

NSExceptionDomains =     {

    "mobileapp.tuskerdirect.com" =         {

        NSExceptionMinimumTLSVersion = "TLSv1.1";

        NSExceptionRequiresForwardSecrecy = false;

    };

};

}

2015-11-09 09:57:04.656 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.657 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dac3c5d0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}



TLSv1.0 with PFS disabled

ATS Dictionary:

{

NSExceptionDomains =     {

    "mobileapp.tuskerdirect.com" =         {

        NSExceptionMinimumTLSVersion = "TLSv1.0";

        NSExceptionRequiresForwardSecrecy = false;

    };

};

}

2015-11-09 09:57:04.716 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.717 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dae0d790 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}


================================================================================

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for mobileapp.tuskerdirect.com


TLSv1.2 with PFS disabled and insecure HTTP allowed

ATS Dictionary:

{

NSExceptionDomains =     {

    "mobileapp.tuskerdirect.com" =         {

        NSExceptionAllowsInsecureHTTPLoads = true;

        NSExceptionMinimumTLSVersion = "TLSv1.2";

        NSExceptionRequiresForwardSecrecy = false;

    };

};

}

2015-11-09 09:57:04.772 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.836 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.885 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.886 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dac2b260 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}



TLSv1.1 with PFS disabled and insecure HTTP allowed

ATS Dictionary:

{

NSExceptionDomains =     {

    "mobileapp.tuskerdirect.com" =         {

        NSExceptionAllowsInsecureHTTPLoads = true;

        NSExceptionMinimumTLSVersion = "TLSv1.1";

        NSExceptionRequiresForwardSecrecy = false;

    };

};

}

2015-11-09 09:57:04.936 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:04.989 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:05.037 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:05.037 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dac3f4e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}



TLSv1.0 with PFS disabled and insecure HTTP allowed

ATS Dictionary:

{

NSExceptionDomains =     {

    "mobileapp.tuskerdirect.com" =         {

        NSExceptionAllowsInsecureHTTPLoads = true;

        NSExceptionMinimumTLSVersion = "TLSv1.0";

        NSExceptionRequiresForwardSecrecy = false;

    };

};

}

2015-11-09 09:57:05.097 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:05.145 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:05.199 nscurl[819:27003] CFNetwork SSLHandshake failed (-9824)

2015-11-09 09:57:05.200 nscurl[819:27003] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 β€œAn SSL error has occurred and a secure connection to the server cannot be made.” UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd6dac43d10 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 β€œ(null)” UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https:/ NSErrorFailingURLStringKey=https:/ _kCFStreamErrorDomainKey=3}


================================================================================

My question is simple does anyone have any suggestions why my app (using latest iOS9 on an iPhone 6)

will not connect to my app server using JSONP which it had no issues with when it was iOS8.

Any help will be gratefully recieved

many thanks

add this to your plist file just before closing of last </dict>

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

image

I ran a test on ssllabs.com for your domain and the reason it is not working in ios9 is unsupported cipher: https://www.ssllabs.com/ssltest/analyze.html?d=mobileapp.tuskerdirect.com

You can make an exception and specify another cipher and not loose all security by disabling ats completely.

The server is under your control so I would change the cipher suite and make it ats compatible and not weaken your security by disabling it in your app.

Your server must support at least Transport Layer Security (TLS). Connection ciphers must provide forward secrecy. Certificates must be signed with SHA256 or better with at least 2048 bits for RSA or 256 bits for Elliptic Curve keys.

1 Like

Thank you I will speak with our server guys and forward your suggestions. Many thanks for your help