4

When I’m trying to connect with Server (which is IIS) I’m getting below error on console window :

API error: An SSL error has occurred and a secure connection to the server cannot be made. and hence not able to login.

I'm using Xcode 9.2, iOS 11.

Below are solutions that I’ve tried but didn’t worked :

  1. App Transport Security Settings -> Allow Arbitrary Loads -> YES

  2. Add exception domain etc.

  3. Troubleshoot IIS along with server team and figured out that it is not secured i.e. no HTTPS or SSL

This is my plist ATS configuration

Screenshot

P.S. This project is written in Objective-C back in 2014 by third party vendor. Does this issue is due to Objective-C language? (well I don't think so)

Any Fix?

Vadim Kotov
  • 7,103
  • 8
  • 44
  • 57
Jayprakash Dubey
  • 32,447
  • 16
  • 161
  • 169
  • is your server side properly chain the certificate or not ? if yes then check your website here --> https://www.ssllabs.com/ssltest/ – iNiravKotecha Mar 19 '18 at 10:46
  • @NiravKotecha : Server is not set as secured. No HTTPS or SSL. It's simply http://abc.pqr.lmn – Jayprakash Dubey Mar 19 '18 at 10:49
  • I’m not sure if this is the problem, but have you tried removing the `https://`-part from the domain name in the configuration? – Mats Mar 19 '18 at 12:22
  • There is no https in domain name. Its simply http://abc.pqr.lmn – Jayprakash Dubey Mar 19 '18 at 12:54
  • But you have specified the protocol in your Info.plist shown above. domain exceptions should just be the domain. e.g. `abc.def.com`, **not** `http://abc.def.com`. – wottle Mar 19 '18 at 21:45
  • @wottle : At first I checked with abc.def.com it didn't worked then I tried with http://abc.def.com which also didn't worked. – Jayprakash Dubey Mar 20 '18 at 06:32

1 Answers1

3

Judging by the screenshot, it appears you might be using a .dev domain. If so, you will not be able to disable ATS because Google owns the .dev domain, and they have chosen to require all .dev domains require HTTPS. In iOS 11, Apple supports HSTS preloading, which allows certain domains to be restricted to secure connection only. The .dev top-level domain (TLD) is now one of those TLDs that require HTTPS. See more about that here: https://stackoverflow.com/a/47698675/3708242

You screenshot includes an ATS exception that ends in .dev, but your comments specify a different domain. I'm assuming that maybe there are multiple exceptions in your Info.plist, and you use the .dev for internal testing against a local server. If that is the case, simply change the domain for your internal testing to something other than *.dev. Also, not that the exception in your screenshot is not correct, as it includes http:// in the exception domain. Instead of an entry in the InfoPlist like "http://mylocalserver.local", you should just have "mylocalserver.local" (no http://).

If your entry for abc.pqr.lmn is the same (it also includes the protocol in the exception domain), remove the "http://" and it should work.

Also, your exceptions list is a bit of a mess. If you are not using https at all, you should be able to remove all the entries except for NSExceptionAllowsInsecureLoads. All the other settings you specify are for if you want to allow for HTTPS connections that don't support the minimum requirements for ATS. If you are just trying to non-secure HTTP traffic, get rid of the others.

So in summary:

  1. Don't use a .dev domain for local testing, as Google owns the top-level domain now and requires all new browsers / OSs to use HTTPS when connecting to anything that ends in .dev.
  2. Don't include "http://" in your ATS exception domains in your Info.plist
  3. It doesn't have anything to do with it being in Objective-C - it has to do with iOS 11 implementing HSTS preloading.
wottle
  • 11,429
  • 4
  • 21
  • 57
  • 1
    Also, for more information about avoiding the .dev TLD, here is a great article explaining the HTST preloading issue: https://medium.engineering/use-a-dev-domain-not-anymore-95219778e6fd – wottle Mar 19 '18 at 21:49
  • Thanks for your answer! Let me try this and will give reply. Also the endpoint that I'm accessing is xxx.xxxengine.local.dev. I mentioned abc.pqr.lmn in comment just come. – Jayprakash Dubey Mar 20 '18 at 06:40
  • 1
    OK, I wasn't sure, but saw the .dev in your screenshot. It will definitely cause problems in iOS 11 if you try to connect to any .dev domain without HTTPS. Also, you can confirm this is a problem by trying to hit the server in Safari. Safari also honors the HTST preload list. – wottle Mar 20 '18 at 13:16
  • After reading post on Medium I tested app on Xcode 8.3.3 and it is working fine. But it is not recommended solution so will try to remove .dev from domain. Again thanks a lots buddy!! – Jayprakash Dubey Mar 21 '18 at 04:52
  • You saved me! I was stuck with this issue for past 3 days...Thanks a lots! – Jayprakash Dubey Mar 21 '18 at 10:32
  • No problem. I know this has affected a lot of developers when iOS 11 added the .dev HSTS preload domain. Glad you have it working. – wottle Mar 21 '18 at 13:40
  • So the solution is to not use .dev? or just remove .dev from the domain? – jongbanaag Aug 19 '20 at 06:10
  • Yes, Apple honors the HSTS and Google owns the .dev top level domain and has set any .dev domain to require HTTPS. Since you can't get a certificate from Google for your local server to support TLS for the .dev domain, simply change the domain to something like .local – wottle Aug 20 '20 at 02:28