7

You run this code:

let URL = "https://www.nasa.gov/sites/default/files/wave_earth_mosaic_3.jpg"
let imageData = NSData(contentsOfURL: NSURL(string: URL)!)
UIImage(data: imageData!)

and you get this:

2015-09-11 16:33:47.433 Cassini[21200:447896] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

Digging a bit deeper shows SHA1 signature is used.

maximveksler$ openssl s_client -connect www.nasa.gov:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"
    Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

So as of Sep 11, 2015 NASA are using insecure connection, now what?

Maxim Veksler
  • 25,736
  • 34
  • 119
  • 148

1 Answers1

13

Why did it happen?

Because using insecure web is bad for your users privacy.

Beginning with iOS9 Apple are enforcing secure connections your app makes to any resource accessed via HTTP. This means that the server you are connecting to needs to follow up to date secure connection best practices.

As of Sep, 2015 these include:

More info can be found at App Transport Security Technote

What can you do?

Manage your own servers? Fix it! make sure they are strong and secure. You can verify that your server is good by testing it online with shaaaaaaaaaaaaa.com or locally with any of the methods outline here

If you are connecting to other servers, there are options to "white list" problematic resources, this is discouraged.

Decrease security of a specific URL

Go to your Info.plist and add the following entries: 

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.nasa.gov</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

Your plist should look like this: enter image description here

Globally turn off App Transport Security

Note, this is a really really bad idea.

Go to your Info.plist and add the following entries: 

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Your plist should look like this: enter image description here

Community
  • 1
  • 1
Maxim Veksler
  • 25,736
  • 34
  • 119
  • 148
  • Can you inform if App Transport Security enforces port 443? Or can I use any port I wish (for RESTful APIs)? – Bruno Philipe Sep 13 '15 at 19:56
  • 1
    BTW, not only NASA but Amazon's AWS HTTPS file servers does not meet the App Transport Security requirements at the moment. So if your app relies on assets that are hosted on AWS servers, you'll see this error. – algal Sep 18 '15 at 20:11
  • 1
    How did you know about the App Transport Security Tech note you posted? How do you stay ontop of Apple changes like this without waiting for your ios code to break? – Usman Mutawakil Mar 12 '16 at 02:24
  • 1
    @UsmanMutawakil i check apple documentation, follow WWDC announcements and view the lecture videos. Read news and weekly emails and keep up to date on twitter. It's my responsibility as a professional. – Maxim Veksler Mar 17 '16 at 14:58
  • 4
    @MaximVeksler Thanks. I'm jealous of the professionals that have the luxury of devoting that much time to one part of the stack. – Usman Mutawakil Mar 18 '16 at 00:03