Recently, I’ve been busy for nearly a month in order to launch a new deposit app
, and I’ve lived a new life of 996
. Today, I can finally take a breath and continue to update my blog. This article records the problems encountered in sending HTTPS
requests in IOS 9
and the solutions, hoping to have a deeper understanding of ATS
configuration through this article
Problem description
When developing app
, we encountered the problem of sending HTTPS
request in IOS 9
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
We know that after IOS 9
, all network requests use HTTPS
by default. If you send HTTP
requests, you will report the following error, However, we can set the value of nsapptransportsecurity - nsallowsambitraryloads
in info. Plist
to Yes
to allow HTTP
requests:
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
info.plist
This solves the problem of HTTP
request, but whether I send a HTTPS
request or the problem of HTTP laod failed
occurs. Although the above method can be used to solve the problem, it is not the fundamental solution
Solutions
After analysis, it is suspected that the problem is TLS
, because IOS 9
requires tls1.2 version to encrypt data by default. If the server does not support tls1.2
, then URLs ession:task : didcompletewitherror:
will return error
of nil
, but the back-end development colleagues said that the server supports tls1.0
tls1.1
and tls1.2
, it seems that this is not the problem of TLS
. So I didn’t feel at ease. I tested the test server with nscurl
, and it didn’t support tls1.2
, so the problem was found
# Add --verbose to show detailed debugging information
/usr/bin/nscurl --ats-diagnostics --verbose https://testresource.chaoaicai.com
From the output, we can see that the server only supports tls1.0
, so we asked the background development colleagues to test and modify it, and then test again. We found that the server supports tls1.2
, and the network requests of HTTPS
are normal
ATS abnormal configuration
In fact, the server does not support TLS 1.2
, while the client sends HTTPS
request, there are other solutions, that is, configure ATS and set the lowest TLS
version, as shown in info.plist
:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<!--Your https domain name - >
<key> testresource.chaoaicai.com</key>
<dict>
<! --allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<! --TLS minimum version number allowed-->
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
</dict>
</dict>
</dict>
Among them, the specific settings of nsexceptiondomains
are described as follows, which can help you understand the abnormal configuration of ATS
in more detail
Nsincludessubdomains: whether to apply to subdomains. The default is No
Nsexceptionallowsinsure HTTP loads: whether to allow HTTP requests, yes, no by default
Nsexceptionminimum tlsversion: the lowest TLS version
Nsexceptionrequiresforwardsecy: whether pre encryption is required, no (encryption is allowed, but PFS: perfect forward SecY is not supported), the default is yes
Nsrequires certificate transaction: whether a valid signature certificate is required, yes (required), no by default