Recently, I’ve been busy for nearly a month in order to launch a new deposit app , and I’ve lived a new life of 996 . Today, I can finally take a breath and continue to update my blog. This article records the problems encountered in sending HTTPS requests in IOS 9 and the solutions, hoping to have a deeper understanding of ATS configuration through this article

Problem description

When developing app , we encountered the problem of sending HTTPS request in IOS 9

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

We know that after IOS 9 , all network requests use HTTPS by default. If you send HTTP requests, you will report the following error, However, we can set the value of nsapptransportsecurity - nsallowsambitraryloads in info. Plist to Yes to allow HTTP requests:

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

info.plist

This solves the problem of HTTP request, but whether I send a HTTPS request or the problem of HTTP laod failed occurs. Although the above method can be used to solve the problem, it is not the fundamental solution

Solutions

After analysis, it is suspected that the problem is TLS , because IOS 9 requires tls1.2 version to encrypt data by default. If the server does not support tls1.2 , then URLs ession:task : didcompletewitherror: will return error of nil , but the back-end development colleagues said that the server supports tls1.0 tls1.1 and tls1.2 , it seems that this is not the problem of TLS . So I didn’t feel at ease. I tested the test server with nscurl , and it didn’t support tls1.2 , so the problem was found

# Add --verbose to show detailed debugging information
/usr/bin/nscurl --ats-diagnostics --verbose https://testresource.chaoaicai.com

From the output, we can see that the server only supports tls1.0 , so we asked the background development colleagues to test and modify it, and then test again. We found that the server supports tls1.2 , and the network requests of HTTPS are normal

ATS abnormal configuration

In fact, the server does not support TLS 1.2 , while the client sends HTTPS request, there are other solutions, that is, configure ATS and set the lowest TLS version, as shown in info.plist :

<key>NSAppTransportSecurity</key>
　　<dict>
　　<key>NSExceptionDomains</key>
　　<dict>
　　　　<!--Your https domain name - >
　　　　<key> testresource.chaoaicai.com</key>
　　　　<dict>
　　　　　　<! --allow subdomains-->
　　　　　　<key>NSIncludesSubdomains</key>
　　　　　　<true/>
　　　　　　<! --TLS minimum version number allowed-->
　　　　　　<key>NSExceptionMinimumTLSVersion</key>
　　　　　　<string>TLSv1.0</string>
　　　　</dict>
　　</dict>
</dict>

Among them, the specific settings of nsexceptiondomains are described as follows, which can help you understand the abnormal configuration of ATS in more detail

Nsincludessubdomains: whether to apply to subdomains. The default is No

Nsexceptionallowsinsure HTTP loads: whether to allow HTTP requests, yes, no by default

Nsexceptionminimum tlsversion: the lowest TLS version

Nsexceptionrequiresforwardsecy: whether pre encryption is required, no (encryption is allowed, but PFS: perfect forward SecY is not supported), the default is yes

Nsrequires certificate transaction: whether a valid signature certificate is required, yes (required), no by default