SmallTalk App Transport Security CocoaHeads Paris Jeudi 09 septembre 2015 Nicolas Lauquin
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SmallTalk
App Transport Security
CocoaHeads ParisJeudi 09 septembre 2015 Nicolas Lauquin
What ?
ATS is default security configuration to conform to.
Apple depreciate HTTP ;)
Involve all connexions based on NSURLConnection, CFURL, or NSURLSession
Starting iOS 9 & OS X 10.11 sdks
Security Requirements
The server must supporting Transport Layer Security (TLS) protocol version 1.2.
Connection ciphers are limited to those that provide forward secrecy (TLS_ECDHE*)
Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.
Not Respecting Rules = Punishment
AppTransport[71704:4475213] CFNetwork SSLHandshake failed (-9801) AppTransport[71704:4475213] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
When logging network error output :Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."
How To Check ?
Compile with iOS9||OSX10.11 sdk and check the connexion success/logs + check code error with securetransport.h
+ add extra log CFNETWORK_DIAGNOSTICS = 1 -> hard to analyze
In a browser to have a quick (&dirty) check
nscurl (starting 10.11 - best choice) nscurl —ats-diagnostics —verbose https://x.co
Exceptions
Trick OKTo test on a ATS compliant API:
Example with IC server on OSX10.10.5
IC Server ATS KO
IC Server v2-> with certificat update
better but still KO
Configuration Info.plist
Config necessary until upgrade to El Capitan which will support TLSv1.2 & forward secrecyATS OK
Refs
Apple Technote: https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html
Apple Video WWDC2015 - 711 - Network with NSURLSESSION
Exemple of App Transport configuration - http://www.neglectedpotential.com/2015/06/working-with-apples-application-transport-security/
Tips about issue with AppTransport : http://timekl.com/blog/2015/08/21/shipping-an-app-with-app-transport-security/ Apple security Transport error code : http://www.opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/Security/SecureTransport.h
Related Documents
