iOS 9 Ats Ssl Error with Supporting Server

iOS 9 ATS SSL error with supporting server

Apple has released the full requirements list for the App Transport Security.

Turned out that we were working with TLS v1.2 but were missing some of the other requirements.

Here's the full check list:

  1. TLS requires at least version 1.2.
  2. Connection ciphers are limited to those that provide forward secrecy (see below for the list of ciphers.)
  3. The service requires a certificate using at least a SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key.
  4. Invalid certificates result in a hard failure and no connection.

The accepted ciphers are:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

iOS9 getting error “an SSL error has occurred and a secure connection to the server cannot be made”

For the iOS9, Apple made a radical decision with iOS 9, disabling all unsecured HTTP traffic from iOS apps, as a part of App Transport Security (ATS).

To simply disable ATS, you can follow this steps by open Info.plist, and add the following lines:

<key>NSAppTransportSecurity</key>
  <dict>
      <key>NSAllowsArbitraryLoads</key>
      <true/>
  </dict>

iOS9 PayPal SDK - An SSL error has occurred....

I read the documentation further which is what I should of done before asking the question! But to allow the ciphers that are listed I need to turn off NSExceptionRequireForwardSecrecy for that URL, from the docs...

NSExceptionRequiresForwardSecrecy A Boolean value for overriding the requirement that the domain support forward secrecy using ciphers.

YES is the default value and limits the ciphers to those shown in Default Behavior.

Setting the value to NO adds the following the list of accepted ciphers:

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA

iOS 9 app download from Amazon S3 SSL error: TLS 1.2 support

Edit 2016-01-03: The renewed certificate for s3.amazonaws.com uses the SHA256 algorithm and complies with ATS requirements.

Original answer: s3.amazonaws.com uses a SHA1 cerificate that does not meet ATS requirements, resulting in a hard failure. Per the App Transport Security Technote, ATS in iOS9 has the following requirements:

  1. The server must support at least Transport Layer Security (TLS) protocol version 1.2.

  2. Connection ciphers are limited to those that provide forward secrecy, namely,

    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  3. Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.


Invalid certificates result in a hard failure and no connection.

SSL Labs' SSL server test (https://www.ssllabs.com/ssltest/analyze.html?d=s3.amazonaws.com) includes a handshake simulation for ATS in iOS 9 that indicates a failure for s3.amazonaws.com.

Dev SSL Labs

“an ssl error has occurred and a secure connection to the server cannot be made” connecting to Internal Development Server on phone only

After I read this document from Apple 

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>Your Domain</key>   
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>                
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <false/>
        </dict>
    </dict>
</dict>

My app is now working on devices. My cert on the server is not Forward Secrecy ready yet.

kCFStreamErrorDomainSSL, -9802 when connecting to a server by IP address through HTTPS in iOS 9

iOS9 requires the server to only support TLSv1.2 and support perfect forward security.

Also required is for the app to support IPV6 including not using hard-coded IP addresses. Suggested is to use NSURLSession. Otherwise exception additions must be made in the app plist.

See the WWDC-15 session "Security and your Apps".

Also see Steven Peterson's Blog for details.

IOS9 SSL error with NSURLSession

After some discussion with Apple Support, the issue is due to the self signed certificate.

ATS trusts only certificate signed by a well known CA, all others are rejected. As a consequence the only solution with a Self signed certificate is to set an exception with NSExceptionDomains.

Mobilelfirst 7.1 - ios9 An SSL error has occurred and a secure connection to the server cannot be made

Make sure that you have properly configured the MobileFirst Server with TLS 1.2 support by following the instructions provided in this blog post (too long to post as an answer): https://mobilefirstplatform.ibmcloud.com/blog/2015/09/07/preparing-ibm-mobilefirst-platform-server-app-transport-security-ios-9/

Alamofire 4.0.1 SSL Requests Failing (secure connection to the server cannot be made)

To summarize the comments, @OP's site did not meet Apple's iOS ATS requirements. When tested with SSL Labs, the site scored an F and indicated lack of support for TLS. While bypassing ATS could have been an option, the server's TLS configuration was improved using the IIS Crypto tool as described at https://scotthelme.co.uk/getting-an-a-on-the-qualys-ssl-test-windows-edition/

Note: DO NOT set up Strict Transport Security without knowing what it does.

This addressed the issue.


Related Topics

Using 'Textfield:Shouldchangecharactersinrange:', How to Get the Text Including the Current Typed Character

How to Change Height of Grouped Uitableview Header

Differencebetween the App Id and the Bundle Id? Where Is the App Id in the Xcode Project

Frosted Glass (iOS 7 Blur) Effect

Open Appstore Through Button

Swift - Segmented Control - Switch Multiple Views

Why Does My Swiftui App Crash When Navigating Backwards After Placing a 'Navigationlink' Inside of a 'Navigationbaritems' in a 'Navigationview'

Uitableview Disable Swipe to Delete, But Still Have Delete in Edit Mode

When to Use Uicollectionview Instead of Uitableview

Set Uitableview Content Inset Permanently

Ios: Uiview Subclass Init or Initwithframe:

Presentviewcontroller and Displaying Navigation Bar

Color in Storyboard Not Matching Uicolor

Playing a Video File from a Server in Swift

Should I Be Using Awakefromnib or Initwithcoder Here

Uiwebview with Progress Bar

No Such File and Directory Found Xcode 7

How to Detect the Colour of an iPhone 5C


Leave a reply



Submit