AVPlayer URL https connection with ATS blocked cleartext HTTP

Question

Hy everybody, I'm trying to connect to a remote streaming server by HTTPS but console keep telling me that ATS blocked a cleartext HTTP.

Since the remote server is a third party server, I connected with OpenSSL and saw this informations:

I played with the plist and tried different ways but still I can't connect (if I bypass ATS the URL open the stream flawlessy).

Here it's my actual configuration:

Any suggestion where I can be wrong?

I thank you in advance.

Fabrizio

Do you see what url is being blocked by ATS? – Aymen HARRATH Dec 22 '16 at 10:46 — Aymen HARRATH, Dec 22 '16 at 10:46

score 2 · Accepted Answer · edited May 23 '17 at 11:53

2

Try removing all configuration an keep onNSExceptionRequiresForwardSecrecy to NO
According to Apple documentation here are supported Ciphers

The connection must use either the AES-128 or AES-256 symmetric cipher. The negotiated TLS connection cipher suite must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, and must be one of the following: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

You can find more details here ATS Configuration Basics

If this do not work for you, you should figure out the url that is being blocked by ATS to check if your server is redirecting your request to an other url.

If you are playing a Fairplay stream, try printing yourPlayerItem.errorLog() you will see if your stream keys server url is being blocked by ATS. In that case you must add the suitable exception.

Hope this helps you, it is exactly what I made to solve the same problem.

edited May 23 '17 at 11:53

Community

1
1

answered Dec 22 '16 at 11:11

Aymen HARRATH

474
3
15

I removed everything except NSExceptionRequiresForwardSecrecy but the problem remain. I'll try do discover if there's some redirect, if I open that URL with VLC it just works. – Fabrizio Dec 23 '16 at 09:09
Ok I've used CFNETWORK_DIAGNOSTICS and in the log I see there the same URL I call via HTTPS but also riported in HTTP near kCFErrorDomainCFNetwork. So it's like there are two URL one in HTTPS and one in HTTP. I'll do some test in this direction. – Fabrizio Dec 27 '16 at 10:26
Ok now it seems working, I think my fault was an error in typing "NSExceptionAllowsInsecureHTTPLoads", set to yes it's working. So final setup is: NSExceptionAllowsInsecureHTTPLoads YES, NSExceptionRequiresForwardSecrecy NO, NSIncludesSubdomains YES, NSExceptionMinimumTLSVersion TLSv1. The question now is: is this App setup compliant to Apple requirements for ATS? – Fabrizio Dec 27 '16 at 10:39
Yes it is for now, but not for a long time, you can find details here https://developer.apple.com/news/?id=12212016b – Aymen HARRATH Dec 29 '16 at 13:55
Ok I read and watched the WWDC video, thank you very much. But since I'm using third party server streaming it seems that Apple could accept justification "Some examples of justifications eligible for consideration are: Must connect to a server managed by another entity that does not support secure connections" – Fabrizio Dec 30 '16 at 20:08

AVPlayer URL https connection with ATS blocked cleartext HTTP

1 Answers1