I am leasing a self signed certificate using "NSMutableURLRequest" and when the certificate is anchored using a custom certificate with "SecTrustSetAnchorCertificates" iOS 11 fails with the following error message:
refreshPreferences: HangTracerEnabled: 1
refreshPreferences: HangTracerDuration: 500
refreshPreferences: ActivationLoggingEnabled: 0 ActivationLoggingTaskedOffByDA:0
ATS failed system trust
System Trust failed for [1:0x1c417dc40]
TIC SSL Trust Error [1:0x1c417dc40]: 3:0
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Task <721D712D-FDBD-4F52-8C9F-EEEA28104E73>.<1> HTTP load failed (error code: -1200 [3:-9802])
Task <721D712D-FDBD-4F52-8C9F-EEEA28104E73>.<1> finished with error - code: -1200
What used to work for iOS 10 no longer works in IO 11.
I am aware that iOS 11 no longer supports the following:
- RC4 3DES-CBC AES-CBC
- MD5 SHA-1
- <2048-bit RSA Pub Keys - All TLS connections to servers
- http://
- SSLv3
- TLS 1.0
- TLS 1.1
And the certificate does not use these except for one fingerprint which is SHA-1, but a SHA-256 fingerprint is also listed.
And by adding the following we can bypass the ATS (App Transport Security) error:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>mydomain.com</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
By installing the root / anchor certificate onto the phone itself also works without the need to whitelist the mydomain.com.
Does this mean that ATS no longer supports self-signed certificates?
This used to work in iOS 10:
SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)certs);
Using nscurl on a Mac shows many failures and after installing the root certificate into the "System" Keystore nscurl succeeds.
This was done on macOS 10.12.6.
nscurl --verbose --ats-diagnostics https://
How can I make this work with a custom certificate, but without the need to install certificates or whitelist the domain?
![Prime Path[POJ3126] [SPFA/BFS]](https://oscimg.oschina.net/oscnet/e1200f32e838bf1d387d671dc8e6894c37d.jpg "Prime Path[POJ3126] [SPFA/BFS]")
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 神经病院院长 的文章《iOS 11 ATS (App Transport Security) no longer acce》','https://www.manongdao.com/article-530481.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}