Search code examples
iosobjective-cnsurlconnectionxcode7-beta5

Anyone got NSURLConnection working on iOS 9 without exceptions?

I am trying to run my app on iOS 9 -- Xcode 7 beta 5. Although my URLs are https, NSURL connection is still throwing an error:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

I am trying to avoid using an exception to get this working. My server supports the required protocols: https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html

Thanks...

UPDATE: the release notes indicate that they have dropped default support of DHE_RSA ciphers:

"DHE_RSA cipher suites are now disabled by default in Secure Transport for TLS clients. This may cause failure to connect to TLS servers that only support DHE_RSA cipher suites. Apps that explicitly enable cipher suites using SSLSetEnabledCiphers are not affected and will still use DHE_RSA cipher suites if explicitly enabled."

These are the ciphers supported by my server. See the full list here: https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html

So I guess I need to use SSLSetEnabledCiphers for every NSURLConnection, or upgrade my server to support the DHE_ECDSA ciphers. Or use the exception mechanism for now.

Anything I've missed? And anyone got sample code for using SSLSetEnabledCiphers?

Thanks.

Solution

  • Here's the deal. The innocuous language about DHE_RSA cipher suites not being supported by default is a pretty big change by Apple in beta 5. A lot of servers out there don't support ECDHE_ECDSA ciphers by default. In order to support those ciphers on my server, it looks like I will have to upgrade something or several somethings. Or even recompile something. Ack.

    And I assumed that I would just have to ensure all URLs were HTTPS!

    Specifically I was able to support HTTPS-only links to my server by using the "NSExceptionRequiresForwardSecrecy = NO" key in info.plist. Also not forgetting the "NSIncludesSubdomains = YES" key if necessary.

    Useful background, especially if Diffie-Helmen Exchange, Elliptical Curve and Forward Secrecy are not familiar to you:

    http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html

    http://blog.lowsnr.net/2014/10/26/configuring-apache-2-2-ssltls-for-forward-secrecy/