|
|
@@ -1081,6 +1081,36 @@ There are several cases where it may make sense to disable certificate chain val
|
|
|
|
|
|
> It is recommended that `validateCertificateChain` always be set to `true` in production environments.
|
|
|
|
|
|
+#### App Transport Security
|
|
|
+
|
|
|
+With the addition of App Transport Security (ATS) in iOS 9, it is possible that using a custom `ServerTrustPolicyManager` with several `ServerTrustPolicy` objects will have no effect. If you continuously see `CFNetwork SSLHandshake failed (-9806)` errors, you have probably run into this problem. Apple's ATS system overrides the entire challenge system unless you configure the ATS settings in your app's plist to disable enough of it to allow your app to evaluate the server trust.
|
|
|
+
|
|
|
+If you run into this problem (high probability with self-signed certificates), you can work around this issue by adding the following to your `Info.plist`.
|
|
|
+
|
|
|
+```xml
|
|
|
+<dict>
|
|
|
+ <key>NSAppTransportSecurity</key>
|
|
|
+ <dict>
|
|
|
+ <key>NSExceptionDomains</key>
|
|
|
+ <dict>
|
|
|
+ <key>example.com</key>
|
|
|
+ <dict>
|
|
|
+ <key>NSExceptionAllowsInsecureHTTPLoads</key>
|
|
|
+ <true/>
|
|
|
+ <key>NSExceptionRequiresForwardSecrecy</key>
|
|
|
+ <false/>
|
|
|
+ <key>NSIncludesSubdomains</key>
|
|
|
+ <true/>
|
|
|
+ </dict>
|
|
|
+ </dict>
|
|
|
+ </dict>
|
|
|
+</dict>
|
|
|
+```
|
|
|
+
|
|
|
+Whether you need to set the `NSExceptionRequiresForwardSecrecy` to `NO` depends on whether your TLS connection is using an allowed cipher suite. In certain cases, it will need to be set to `NO`. The `NSExceptionAllowsInsecureHTTPLoads` MUST be set to `YES` in order to allow the `SessionDelegate` to receive challenge callbacks. Once the challenge callbacks are being called, the `ServerTrustPolicyManager` will take over the server trust evaluation.
|
|
|
+
|
|
|
+> It is recommended to always use valid certificates in production environments.
|
|
|
+
|
|
|
---
|
|
|
|
|
|
## Component Libraries
|
Christian Noon