0

I'm writing an iOS client for an existing Rails app. I have some assets on Amazon S3 that this iOS client will need to download. Download authorization is managed by the Rails backend and the aws-sdk gem provides temporary signed URLs. To keep the iOS client as simple as possible, I get signed URLs from the server instead of using the iOS AWS SDK.

For S3 files I want to download, I get a URL that looks something like

https://s3-us-west-2.amazonaws.com/<my_bucket>/<my_filename>?AWSAccessKeyId=<access_key>&Expires=<expiration>&Signature=<signature>.

When I try to download these URLs using Alamofire.download, I get the following error:

Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7f8b31474ce0>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=<CFArray 0x7f8b3382f950 [0x1059d47b0]>{type = immutable, count = 3, values = (
    0 : <cert(0x7f8b31496a90) s: *.s3-us-west-2.amazonaws.com i: VeriSign Class 3 Secure Server CA - G3>
    1 : <cert(0x7f8b31496ce0) s: VeriSign Class 3 Secure Server CA - G3 i: VeriSign Class 3 Public Primary Certification Authority - G5>
    2 : <cert(0x7f8b31496f30) s: VeriSign Class 3 Public Primary Certification Authority - G5 i: Class 3 Public Primary Certification Authority>
)}

If I set NSAllowsArbitraryLoads to true in Info.plist, the download succeeds.

What aspect of the certificate is making this fail? This question suggests the wildcard certificate could be a problem. However, my URLs work in mobile Safari and the wildcard is in the SAN section. Any ideas on how I can troubleshoot the problem and make sure I can use SSL?

I'm using XCode 7.0.1, Swift 2.0 and targeting iOS 8.0.

Community
  • 1
  • 1
Hélène Martin
  • 1,409
  • 2
  • 15
  • 42
  • 1
    I have edited the question to make it clear that I DO want to use HTTPS and am hoping for advice on figuring out what is causing the Amazon-issued certificate to fail and how I can address that. The question this was marked as a duplicate of only seems to address using HTTP during testing. – Hélène Martin Oct 27 '15 at 04:19
  • 1
    You should look into [App Transport Security](https://developer.apple.com/videos/play/wwdc2015-706/). Amazon S3's SSL certificate is currently not signed with SHA256 (it uses SHA1), and it is causing the ATS error on iOS 9 and later. Safari is not subject to ATS. – Yosuke Oct 27 '15 at 20:31
  • @YosukeMatsuda - you are awesome, it was indeed the SHA1 signature that caused the problem. That hint led me to [this link](https://forums.developer.apple.com/thread/13472#41025) which states that setting `NSExceptionAllowsInsecureHTTPLoads` for `s3-us-west-2.amazonaws.com` to true is the best solution. I still can't find a written Apple document that states SHA-1 is not compatible with ATS, though. – Hélène Martin Oct 28 '15 at 02:23
  • @matt - with the extra context, I see that my question is a duplicate of [this one](http://stackoverflow.com/questions/32500655/ios-9-app-download-from-amazon-s3-ssl-error-tls-1-2-support). – Hélène Martin Oct 28 '15 at 12:04

0 Answers0