iOS 11: ATS (App Transport Security) no longer accepts custom anchor certs?

91
votes

I am leasing a self signed certificate using NSMutableURLRequest and when the certificate is anchored using a custom certificate with SecTrustSetAnchorCertificates IOS 11 fails with the following error message:

refreshPreferences: HangTracerEnabled: 1
refreshPreferences: HangTracerDuration: 500
refreshPreferences: ActivationLoggingEnabled: 0 ActivationLoggingTaskedOffByDA:0
ATS failed system trust
System Trust failed for [1:0x1c417dc40]
TIC SSL Trust Error [1:0x1c417dc40]: 3:0
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Task <721D712D-FDBD-4F52-8C9F-EEEA28104E73>.<1> HTTP load failed (error code: -1200 [3:-9802])
Task <721D712D-FDBD-4F52-8C9F-EEEA28104E73>.<1> finished with error - code: -1200

What used to work for IOS 10 no longer works in IOS 11.

I am aware that IOS 11 no longer supports the following:

  • RC4 3DES-CBC AES-CBC
  • MD5 SHA-1
  • <2048-bit RSA Pub Keys - All TLS connections to servers
  • http://
  • SSLv3
  • TLS 1.0
  • TLS 1.1

And the certificate does not use these except for one fingerprint, which is SHA-1, but a SHA-256 fingerprint is also listed.

And by adding the following we can bypass the ATS (App Transport Security) error:

<key>NSAppTransportSecurity</key>
<dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>mydomain.com</key>
            <dict>
                <!--Include to allow subdomains-->
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
        </dict>
</dict>

By installing the root / anchor certificate onto the phone itself also works without the need to whitelist the mydomain.com.

Does this mean that ATS no longer supports self-signed certificates?

The following worked in IOS 10:

SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)certs);

Using nscurl on a Mac shows many failures, and after installing the root certificate into the "System" Keystore, nscurl succeeds. I did this on macOS 10.12.6.

nscurl --verbose --ats-diagnostics https://

How can I make this work with a custom certificate, but without the need to install certificates or whitelist the domain?

securitysslios11xcode9
I have read the following: With App Transport Security (ATS) fully enabled, the system requires that your app’s HTTP connections use HTTPS and that they satisfy the following security requirements: The X.509 digital server certificate must meet at least one of the following trust requirements: Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system Issued by a trusted root CA and installed by the user or a system administrator. Does this mean that setting the anchor manually will no longer work?Wayne
Hmm thats sad. Fortunately there is LetsEncrypt we can use instead of custom PKI. But it is still a pain to be forced to use only system-wide trusted PKI. What about client certificates in authenticated connections? Do they have to be trusted as well?ph4r05
"Workaround" could be not to use NSMutableURLRequest but some appropriate replacement which would use e.g. app linked OpenSSL for TLS and do own certificate verification (pinning, validation, custom trusted roots).ph4r05
IOS 10 had a bug that allowed this circumvention. (27866669). It was corrected in IOS 11david