2

I am updating my iOS app that pulls images from Instagram for iOS v[redacted]. There is a new feature that tightens up network security. It is getting in my way just for Instagram fetches with the following NSError:

Description: {
    NSErrorFailingURLKey = "https:/instagram.com/p/52A5mtpurv/media/?size=l";
    NSErrorFailingURLStringKey = "https:/instagram.com/p/52A5mtpurv/media/?size=l";
    NSLocalizedDescription = "An SSL error has occurred and a secure connection to the server cannot be made.";
    NSLocalizedRecoverySuggestion = "Would you like to connect to the server anyway?";
    NSURLErrorFailingURLPeerTrustErrorKey = "<SecTrustRef: 0x17b1ebe0>";
    NSUnderlyingError = "Error Domain=kCFErrorDomainCFNetwork Code=-1200 \"An SSL error has occurred and a secure connection to the server cannot be made.\" UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x17b1ebe0>, _kCFStreamErrorDomainKey=3, NSErrorFailingURLStringKey=https://igcdn-photos-f-a.akamaihd.net/hphotos-ak-xaf1/t51.2885-15/11375272_1120995804579077_1215796842_n.jpg, NSErrorFailingURLKey=https://igcdn-photos-f-a.akamaihd.net/hphotos-ak-xaf1/t51.2885-15/11375272_1120995804579077_1215796842_n.jpg}";
    "_kCFStreamErrorCodeKey" = "-9802";
    "_kCFStreamErrorDomainKey" = 3;
}

The easy answer is to just disable the new security feature. Many folks are clearly taking this approach. I think that is unwise.

Reading the above error, it is clear that the Akamai CDN, at akamaihd.net, and Instagram are combining to manifest the problem.

I make the following exception declaration in the info.plist:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>instagram.com</key>
        <dict>
            <key>NSExceptionAllowInsecureHTTPSLoads</key>
            <true/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.0</string>
            <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.0</string>
        </dict>
    </dict>

The above exception isn't doing the job. Any thoughts on how to proceed? Again, disabling the new security feature is not a fixing the issue of dealing with public services that operate through CDNs.

soulshined
  • 9,612
  • 5
  • 44
  • 79
adonoho
  • 4,339
  • 1
  • 18
  • 22

2 Answers2

3

The problem was an aggressive slash reducer in my code. It collapsed the https:// to https:/. That caused the error.

adonoho
  • 4,339
  • 1
  • 18
  • 22
0

For me this pair is working perfectly:

        <key>instagram.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <false/>
        </dict>
msmq
  • 1,298
  • 16
  • 28