7

With ATS enabled in iOS 9 many of my customers are unable to meet the forward secrecy requirement. They can however meet the https and TLS 1.2 requirements. Due to this I would like to relax the forward secrecy requirements whilst keeping the https and TLS 1.2 in place.

I was wondering if anyone has figured out a way to use NSExceptionRequiresForwardSecrecy or NSThirdPartyExceptionRequiresForwardSecrecy to disable forward secrecy for all domains.

I tried using * for NSExceptionDomains or *.com but when I used that the problem link did not work. When I use its domain.com then the problem link will load. I was looking at the Apple Docs on it but didn't see any way to achieve my goal.

Is it possible to just disable Forward secrecy for all domains sorta like you can completely disable ATS by setting NSAppTransportSecurity/NSAllowsArbitraryLoads to true?

Thanks!

Polar Bear
  • 918
  • 2
  • 7
  • 19
  • I think it is impossible. Either list all your customers' domains in ATS exceptions or allow arbitrary loads. You can also do both, so ATS will be using TLS 1.2 (but without forward secrecy) for known domains, and disabled for unknown ones. – Alex Skalozub Feb 03 '16 at 23:39
  • Alex, I've come to the same conclusion, we ended up adding in support for exceptions on a domain basis. – Polar Bear Feb 11 '16 at 02:35

2 Answers2

5

Yes, it is possible. You probably have at least one domain you will certainly connect to. If it is not true, just try to use any reliable web site (google.com,facebook.com etc.). You should add NSExceptionDomains rule for this domain by specifying NSAppTransportSecurity configuration in following way:

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>google.com</key>   
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>                
                <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
        </dict>
    </dict>

FYI, facebook apps use the same configurations of NSAppTransportSecurity.

Alexander
  • 1,228
  • 2
  • 15
  • 29
  • I was able to connect to my web server with TLS 1.2 with the settings you listed above, however, during my authorization process, the ticket generated from the web sever is much shorter than the ticket server generated for my windows app (this windows ticket is working), so when I post another call to the server with the ticket, the server could not recognize the ticket. What I did wrong? – JIANG Mar 17 '17 at 21:35
2

Its possible, Try following.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Even you can add specific exception, 

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <false/>
            <key>NSExceptionAllowInsecureHTTPSLoads</key>
            <false/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowInsecureHTTPSLoads</key>
            <false/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSRequiresCertificateTransparency</key>
            <false/>
        </dict>

        ...

    </dict>
</dict>
Nilesh Patel
  • 6,318
  • 1
  • 26
  • 40