Question regarding bypassing server trust authentication

Hello,

I am trying to implement Post/Get communication to an HTTPS server advertising as a WiFi access point. When i attempt to do these posts/gets using a software like postman or curl on my terminal, i have no issue. When I try to do it in swift for my iOS app, we run into server trust issues (corresponds to NSURLErrorDomain -> NSURLErrorServerCertificateUntrusted -> -1202 error code).

I am at a loss for how to get around this in swift. I've tried modifying the info.plist file to accept ```
NSExceptionAllowsInsecureHTTPLoads but this has not resolved the issue. I understand that what i am doing is unsecure -- this is only for internal development tools which is why I accept the risk in security. I also don't have a better option right now so am hoping there are thoughts out there which I can leverage.

Appreciate any and all ideas!

NSExceptionAllowsInsecureHTTPLoads doesn't help with insecure HTTPS connections, it only allows plain HTTP connections. You probably want to add your host to the NSExeptionDomains as outline in Apple's support document. You can also use the nscurl tool to test connections to your host and determine which ATS rules you might need to disable.

Thanks for this! I tried two things based on this response and have some follow up questions.

It seems like the correct item to set in the info.plist is NSAllowsArbitraryLoads -- it seems like if this is true the ATS security is bypassed. However when i try this, it still fails. Does that point to some other issue?

Continuing, I also tried using nscurl to see how that behaved when looking at the HTTPS server, it failed every single check...i dont understand why this would fail for apple items but not postman? Does that make any sense?

Turning off ATS doesn't disable the root TLS validations that all connections undergo, just the additional ones Apple put in place, so it's not a fix for all possible issues. At this point you need to inspect the returned SSL cert and see what might be triggering issues. If nothing else, it might be easiest for you to trust the cert manually on your test device / sim. You may also be running into the recent expiration of the old Let's Encrypt root certificate, which certain macOS (and presumably iOS) systems haven't handled well. Your testing in Postman works because Chrome (or the standalone Postman app) maintains its own root trust store, which may be properly updated. So load the page in Safari on the affected device (real or sim) and see what the error says.

3 Likes