ATS
TIPS: ATSに関してはクラスメソッドさんの記事がとても参考になります
ATSが有効である場合、iOS9以上の端末はHTTP 通信ができません
また、ウェブサーバー側の設定がApple推奨の要件を満たしていない場合、HTTPS 通信でもiOS9でエラーが出ます
ATSを無効にするのは推奨された対応ではないので例外設定をしたい
でも例外をひとつずつ検証するのは手間・・・
そんなときの救世主コマンド
WARNING: El Capitan限定です
コマンド
コンソールを開いて、以下コマンドを叩きます
$ nscurl --ats-diagnostics https://www.*****.com
するとATS機能の例外設定の接続テストが行われ、以下のように各パターンの結果が出力されます
この中でResult : PASSのものをinfo.plistに反映させます
2016-01-06 19:50:28.848 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:28.849 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.101 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.101 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.115 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.116 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.131 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.132 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.145 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.145 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
2016-01-06 19:50:29.160 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.175 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.191 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.191 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.206 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.207 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
2016-01-06 19:50:29.222 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.222 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
2016-01-06 19:50:29.397 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.413 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.431 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.432 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.446 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.461 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.477 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.478 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
Starting ATS Diagnostics
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://www.*****.com.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
Use '--verbose' to view the ATS dictionaries used and to display the error received in URLSession:task:didCompleteWithError:.
================================================================================
Default ATS Secure Connection
---
ATS Default Connection
Result : FAIL
---
================================================================================
Allowing Arbitrary Loads
---
Allow All Loads
Result : PASS
---
================================================================================
Configuring TLS exceptions for www.*****.com
---
TLSv1.2
Result : FAIL
---
---
TLSv1.1
Result : FAIL
---
---
TLSv1.0
Result : FAIL
---
================================================================================
Configuring PFS exceptions for www.*****.com
---
Disabling Perfect Forward Secrecy
Result : FAIL
---
================================================================================
Configuring PFS exceptions and allowing insecure HTTP for www.*****.com
---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
Result : FAIL
---
================================================================================
Configuring TLS exceptions with PFS disabled for www.*****.com
---
TLSv1.2 with PFS disabled
Result : FAIL
---
---
TLSv1.1 with PFS disabled
Result : FAIL
---
---
TLSv1.0 with PFS disabled
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for www.*****.com
---
TLSv1.2 with PFS disabled and insecure HTTP allowed
Result : FAIL
---
---
TLSv1.1 with PFS disabled and insecure HTTP allowed
Result : FAIL
---
---
TLSv1.0 with PFS disabled and insecure HTTP allowed
Result : PASS
---
================================================================================
info.plistに反映
上記の例ですとPASSの結果は3つありました
結果1. ATSを無効にする
Allow All Loads
Result : PASS
推奨されないので、却下です
結果2. PSFを無効化し、TLSv1.0を例外設定する
TLSv1.0 with PFS disabled
Result : PASS
NSExceptionDomainsに以下を追加で対応できました
<dict>
<key>www.*****.com</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
結果3. 結果2.対応に加え、セキュアでないHTTP通信を許可する
TLSv1.0 with PFS disabled and insecure HTTP allowed
Result : PASS
NSExceptionDomainsに以下を追加で対応できました
<dict>
<key>www.*****.com</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
今回は余計な例外を設定しなくて済む結果2.が一番良いと思われました!
まとめ
HTTPSだから安心!そんなふうに思っていて痛い目をみたので今回まとめてみました
どなたかのお役に立てれば幸いです
以上です
ありがとうございました