دعم الموقع
الدعم → دعم API
iOS 9 App Transport Security
نشر بواسطة Dov FrankelSTAFFMOD في أغسطس 31, 2015 عند الساعة 6:21 مساءا
I'm working on an app that will launch on iOS 9, and in order to talk to the TMDb API, I need to disable App Transport Security (a new security feature). It looks (from the headers CURL returns) that your servers support TLSv1.2, correct? That's the main requirement that's catching people. I'm connecting over https, and this is the error I get back:
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fe438442330>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=<CFArray 0x7fe43a406250 [0x10c1447b0]>{type = immutable, count = 3, values = (
0 : <cert(0x7fe438436890) s: *.themoviedb.org i: RapidSSL CA>
1 : <cert(0x7fe4384364b0) s: RapidSSL CA i: GeoTrust Global CA>
2 : <cert(0x7fe438441870) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>
)}, NSUnderlyingError=0x7fe43a2026b0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fe438442330>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7fe43a406250 [0x10c1447b0]>{type = immutable, count = 3, values = (
0 : <cert(0x7fe438436890) s: *.themoviedb.org i: RapidSSL CA>
1 : <cert(0x7fe4384364b0) s: RapidSSL CA i: GeoTrust Global CA>
2 : <cert(0x7fe438441870) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>
)}}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://api.themoviedb.org/3/person/287?api_key=9e***********************9faa, NSErrorFailingURLStringKey=https://api.themoviedb.org/3/person/287?api_key=9e*************************9faa, NSErrorClientCertificateStateKey=0}
Any ideas what is wrong? Has a certificate expired or something?
رد بواسطة Travis Bell
بتاريخ سبتمبر 1, 2015 في 10:03 صباحا
Hi dovfrankel,
I've heard about this, it was discussed a here. I don't think it's TLS 1.2 (we do support this) but rather the signing of the certificate. Ours was signed using SHA-1 where I believe Chrome and now the new transport in iOS wants it to be SHA-2.
We do have plans to re-sign/renew our certificates but haven't yet. I am not sure on an exact timeline.
رد بواسطة Dov Frankel
بتاريخ سبتمبر 1, 2015 في 10:08 صباحا
Oh okay, thanks for the prompt reply. It would be awesome if you could re-sign before iOS 9 goes public, as it may break any apps that haven't been updated. As for myself, I'll temporarily be exempting your domain from App Transport Security. If anyone else is looking into how to do this, add this to your app's plist:
رد بواسطة Travis Bell
بتاريخ سبتمبر 1, 2015 في 10:17 صباحا
Yes, that was going to be my next suggestion. Exempting our domain should work too 😉
We will get to it.
Thanks.
رد بواسطة AlexNorway
بتاريخ سبتمبر 14, 2015 في 9:01 مساءا
Any update on this issue as iOS 9 goes public today?
رد بواسطة Travis Bell
بتاريخ سبتمبر 16, 2015 في 4:46 مساءا
Hi Alex,
No updates right now, re-signing our SSL certificates hasn't been something that is very high on our priority list. As per Apple's own technote, adding the domain as an exemption is the only way to get around it in iOS 9 for now.
Cheers.
رد بواسطة AlexNorway
بتاريخ سبتمبر 16, 2015 في 6:15 مساءا
Yeah, i know how to whitelist and have already done it... but as long as you sign the cert using SHA-2 before Apple one day decides to turn off the whitelist option then Im happy! Thanks for the quick answer.
رد بواسطة tmdb40840574
بتاريخ مارس 31, 2016 في 9:17 صباحا
Hi all, I'm working on a iOS app and it's the first time I try to connect to API via HTTPS. This is the error I get back:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x7bb6ad20 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorCodeKey=-9802, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerTrust=, …
I've resolved with the domain exception, as suggested by the useful Dov's post.
I'm just asking if someone know others solution. I'm working with Swift 2 and Xcode 7.3.
Tks, Alessio.
رد بواسطة AlexNorway
بتاريخ مارس 31, 2016 في 10:51 صباحا
Alessio, there is no other way until he has time to re-sign their SSL certificates. Whitelisting (domain exception) is the only way.
رد بواسطة tmdb40840574
بتاريخ مارس 31, 2016 في 10:56 صباحا
Hi Alex, ok, it's clear.
Thank you for your rapid answer.
Alessio.
رد بواسطة Travis Bell
بتاريخ يونيو 16, 2016 في 10:51 مساءا
P.S. We rolled out SHA2 SSL last night, the domain exception shouldn't be necessary anymore.
رد بواسطة tmdb40840574
بتاريخ يونيو 17, 2016 في 3:18 صباحا
I've just tried with Xcode Simulator (no real iPhone) and it seems to be working.
Thank you, Alessio.