ssl - Handling App Transport Security (kCFStreamErrorDomainSSL, -9802)

Question

You run this code:

let URL = "https://www.nasa.gov/sites/default/files/wave_earth_mosaic_3.jpg"
let imageData = NSData(contentsOfURL: NSURL(string: URL)!)
UIImage(data: imageData!)

and you get this:

2015-09-11 16:33:47.433 Cassini[21200:447896] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

Digging a bit deeper shows SHA1 signature is used.

maximveksler$ openssl s_client -connect www.nasa.gov:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"
    Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

So as of Sep 11, 2015 NASA are using insecure connection, now what?

Answer 1

Why did it happen?

Because using insecure web is bad for your users privacy.

Beginning with iOS9 Apple are enforcing secure connections your app makes to any resource accessed via HTTP. This means that the server you are connecting to needs to follow up to date secure connection best practices.

As of Sep, 2015 these include:

• Use HTTPS (and not plain http)
• Sign the certificate using SHA-2
• Use Forward Secrecy

More info can be found at App Transport Security Technote

What can you do?

Manage your own servers? Fix it! make sure they are strong and secure. You can verify that your server is good by testing it online with shaaaaaaaaaaaaa.com or locally with any of the methods outline here

If you are connecting to other servers, there are options to "white list" problematic resources, this is discouraged.

Decrease security of a specific URL

Go to your Info.plist and add the following entries:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.nasa.gov</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

Your plist should look like this:

Globally turn off App Transport Security

Note, this is a really really bad idea.

Go to your Info.plist and add the following entries:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Your plist should look like this: