“an ssl error has occurred and a secure connection to the server cannot be made” connecting to Internal Development Server on phone only

About

Asked 7/4, 2017 at 19:59 Answered 10/4, 2017 at 21:10

Solved ios app-transport-security

I developed a iOS app that connects to a internal web server. When I used the simulator, it works fine, but when I build the same app on a iPhone, it gives me a error message “an ssl error has occurred and a secure connection to the server cannot be made. " Why the error only occurs on iPhone not in simulator?

Here is my environment Xcode 8.2 iOS 10.3 Objective C -- My client code is using ATS by default AFNetworking Framework 3.1 Web Server -- Support TLS 1.2 only Web Server Cert is not supporting forward secrecy yet.

Could it be because that my Cert is not ATS compliant?

Scoville answered 7/4, 2017 at 19:59 Comment(0)

After I read this document from Apple

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>Your Domain</key>   
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>                
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <false/>
        </dict>
    </dict>
</dict>

My app is now working on devices. My cert on the server is not Forward Secrecy ready yet.

Scoville answered 10/4, 2017 at 21:10 Comment(5)

Also should be noted that Apple will not require justification for this ATS exception because the forward secrecy exception is not one requiring explicit justification by Apple. That said, if you can remove that exception before submitting to Apple, that would be ideal. – Christo 13/4, 2017 at 13:57

Thank you @wottle, my server is windows 2008 R2, to have a Cert that supports ECDSA with ECDHE key, the OS has to be Windows 2012 R2, I'm waiting for the server team to upgrade our server. – Scoville 13/4, 2017 at 14:46

Another thing is this app is an enterprise app, so I don't need to submit it to Apple store. – Scoville 13/4, 2017 at 14:48

That's good. It's still best practice to enable as few ATS exceptions as possible. It doesn't guarantee you are secure, but it can keep future developers from doing things that may unintentionally expose data when on untrusted networks. – Christo 13/4, 2017 at 15:26

It turns out that I can't fully implement the ATS yet, the Cert that needs to support forward secrecy also needs to put on the firewall server, we are using F5 firewall server, it is not compatible yet. – Scoville 19/7, 2017 at 15:35

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags