【El Capitan限定】HTTPSなのにiOS9でエラーが出るときの救世主コマンドと対応例

ATS

TIPS: ATSに関してはクラスメソッドさんの記事がとても参考になります

ATSが有効である場合、iOS9以上の端末はHTTP 通信ができません
また、ウェブサーバー側の設定がApple推奨の要件を満たしていない場合、HTTPS 通信でもiOS9でエラーが出ます

ATSを無効にするのは推奨された対応ではないので例外設定をしたい
でも例外をひとつずつ検証するのは手間・・・

そんなときの救世主コマンド

WARNING: El Capitan限定です

コマンド

コンソールを開いて、以下コマンドを叩きます

$ nscurl --ats-diagnostics https://www.*****.com

するとATS機能の例外設定の接続テストが行われ、以下のように各パターンの結果が出力されます
この中でResult : PASSのものをinfo.plistに反映させます

2016-01-06 19:50:28.848 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:28.849 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.101 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.101 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.115 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.116 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.131 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.132 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.145 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.145 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
2016-01-06 19:50:29.160 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.175 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.191 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.191 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.206 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.207 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
2016-01-06 19:50:29.222 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.222 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
2016-01-06 19:50:29.397 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.413 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.431 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.432 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-01-06 19:50:29.446 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.461 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9824)
2016-01-06 19:50:29.477 nscurl[36735:501451] CFNetwork SSLHandshake failed (-9801)
2016-01-06 19:50:29.478 nscurl[36735:501451] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
Starting ATS Diagnostics

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://www.*****.com.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
Use '--verbose' to view the ATS dictionaries used and to display the error received in URLSession:task:didCompleteWithError:.
================================================================================

Default ATS Secure Connection
---
ATS Default Connection
Result : FAIL
---

================================================================================

Allowing Arbitrary Loads

---
Allow All Loads
Result : PASS
---

================================================================================

Configuring TLS exceptions for www.*****.com

---
TLSv1.2
Result : FAIL
---

---
TLSv1.1
Result : FAIL
---

---
TLSv1.0
Result : FAIL
---

================================================================================

Configuring PFS exceptions for www.*****.com

---
Disabling Perfect Forward Secrecy
Result : FAIL
---

================================================================================

Configuring PFS exceptions and allowing insecure HTTP for www.*****.com

---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
Result : FAIL
---

================================================================================

Configuring TLS exceptions with PFS disabled for www.*****.com

---
TLSv1.2 with PFS disabled
Result : FAIL
---

---
TLSv1.1 with PFS disabled
Result : FAIL
---

---
TLSv1.0 with PFS disabled
Result : PASS
---

================================================================================

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for www.*****.com

---
TLSv1.2 with PFS disabled and insecure HTTP allowed
Result : FAIL
---

---
TLSv1.1 with PFS disabled and insecure HTTP allowed
Result : FAIL
---

---
TLSv1.0 with PFS disabled and insecure HTTP allowed
Result : PASS
---

================================================================================

info.plistに反映

上記の例ですとPASSの結果は3つありました

結果1. ATSを無効にする

Allow All Loads
Result : PASS

推奨されないので、却下です

結果2. PSFを無効化し、TLSv1.0を例外設定する

TLSv1.0 with PFS disabled
Result : PASS

NSExceptionDomainsに以下を追加で対応できました

<dict>
  <key>www.*****.com</key>
  <dict>
    <key>NSExceptionMinimumTLSVersion</key>
    <string>TLSv1.0</string>
    <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
    <false/>
  </dict>
</dict>

結果3. 結果2.対応に加え、セキュアでないHTTP通信を許可する

TLSv1.0 with PFS disabled and insecure HTTP allowed
Result : PASS

NSExceptionDomainsに以下を追加で対応できました

<dict>
  <key>www.*****.com</key>
  <dict>
    <key>NSExceptionMinimumTLSVersion</key>
    <string>TLSv1.0</string>
    <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
    <false/>
    <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
    <true/>
  </dict>
</dict>

今回は余計な例外を設定しなくて済む**結果2.**が一番良いと思われました！

まとめ

HTTPSだから安心！そんなふうに思っていて痛い目をみたので今回まとめてみました
どなたかのお役に立てれば幸いです

以上です
ありがとうございました