Recently, I have been busy for the launch of the new storage app
. I have been busy for nearly a month. After a period of 996
, I can finally take a breath today and continue to update my blog. This paper records the problems and solutions encountered when sending a HTTPS
request in iOS 9
. It is hoped that through this paper, we can have a deeper understanding of the configuration of ATS
.
Problem description
When developing app
, I encountered the problem of sending HTTPS
request in iOS 9
:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
As we know, after , iOS 9
, all network requests use HTTPS
by default. If you send HTTP
request, the following error will be reported. But we can allow HTTP
request by setting the value of nsapptransportsecuritynsallowsarbitraryloads
to be YES
:
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
info.plist
This solves the HTTP
request problem, but when I send a HTTPS
request, the HTTP laod failed
problem still occurs. Although the above method can also be used to solve this problem, it is not the fundamental solution.
The solution
Through the analysis, doubt is code> TLS problem, because the 9 code> default need TLS1.2 iOS version to encrypt data, if the server does not support the TLS1.2 code>, the URLSession: task: didCompleteWithError: code> returns the nil code> error code>, However, the back-end development colleagues said that the server supports TLS1.0
, TLS1.1
and TLS1.2
, it seems that this is not the problem of TLS
. Therefore, I was not assured. I used nscurl
to test the test server. As expected, TLS1.2
was not supported.
# 加 --verbose 是为了显示详细的调试信息
/usr/bin/nscurl --ats-diagnostics --verbose https://testresource.chaoaicai.com
It can be seen from the output that the server only supports TLS1.0
. Therefore, the colleagues in the background development were asked to test and modify, and then tested again. It was found that the server supports TLS1.2
, and the network request of HTTPS
is normal.
ATS exception configuration
In fact, for the server does not support TLS1.2
, but the client to send HTTPS
request there is another solution, is to configure ATS, set the lowest TLS
version, as shown in infos.plist
:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<!--你的https域名-->
<key>testresource.chaoaicai.com</key>
<dict>
<!--允许子域-->
<key>NSIncludesSubdomains</key>
<true/>
<!--TLS允许的最低版本号-->
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
</dict>
</dict>
</dict>
Where, the specific Settings of NSExceptionDomains
are described below, where ATS
can be understood in more detail
NSIncludesSubdomains: is applied to the domain name, the default is NONSExceptionAllowsInsecureHTTPLoads: whether to allow HTTP requests, YES (allow), the default is NONSExceptionMinimumTLSVersion: TLS version of the lowest NSExceptionRequiresForwardSecrecy: whether to pre encryption, NO (encryption is allowed, but does not support PFS: Perfect forward secrecy), default is YESNSRequiresCertificateTransparency: the need for effective signing certificate, YES (need), the default is NO
This paper just briefly introduces how to configure ATS
, and solves the problem that HTTPS
cannot be accessed because the server does not support TLS1.2
. It is necessary to understand the specific workflow of HTTPS
and TLS
, please refer to relevant materials.
The resources
# # iOS issue record about NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, - 9801)
IOS 9 comes with a series of tutorials
IOS 9.0
Clean up the pits in iOS9 adaptation (graphic)
Cocoa Keys
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) on a subdomain?