HTTP Error in Swift 2 [duplicate] - swift

This question already has answers here:
Transport security has blocked a cleartext HTTP
(29 answers)
Closed 7 years ago.
Whenever I try to load a url or gain the data from a specific URL that follows the http:// format. Xcode returns me with this error
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
How can I fix/work my way around this

I am not sure but you have to update your info.plist file by adding this key:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
Or you can add it another way and it will look like:
Or you can add a specific domain like:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>yourserver.com</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow HTTP requests-->
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
Original Post here for that.

Related

ATS Error: "ATS policy requires the use of a secure connection", despite plist

I'm trying to make a request for an http domain, and despite having
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>my-private-domain.kubernetes.intranet%2f:9090</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
at my info.plist for the app target, XCode 12.5.1 keeps me showing the error
Task <C5F9EA01-9790-43ED-89B0-EE07341B4D84>.<4> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.
I needed to perform this request after updating to 12.5.1 and also tried Clean Build Folder and removing-reinstalling the app. Does someone knows if it's a policy change? (maybe only HTTPS are now allowed even in non-production targets?). The answers I found here only cites NSAllowsArbitraryLoads, NSExceptionDomains, NSExceptionMinimumTLSVersion/NSTemporaryExceptionMinimumTLSVersion and NSThirdPartyExceptionRequiresForwardSecrecy. There's something more?
Because your info.plist includes the NSAllowsArbitraryLoadsInWebContent key, the NSAllowsArbitraryLoads is ignored and treated as false. So removing the NSAllowsArbitraryLoadsInWebContent should allow all arbitrary loads.
Relevant section from Apple docs:
In iOS 10 and later and macOS 10.12 and later, the value of the
NSAllowsArbitraryLoads key is ignored—and the default value of NO used
instead—if any of the following keys are present in your app’s
Information Property List file:
NSAllowsArbitraryLoadsForMedia
NSAllowsArbitraryLoadsInWebContent
NSAllowsLocalNetworking

On the Mac, how to specify a custom tunnel provider in a App per App VPN configuration profile?

I am developing a VPN desktop client for the macOS platform and I am trying to achieve App Per-App VPN. From my understanding, this feature works by letting the user install a configuration profile, that contains information about which apps are included in the feature. A sample configuration profile is the following:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures VPN app mapping settings</string>
<key>PayloadDisplayName</key>
<string>VPN (Per-App VPN TCP App Mapping)</string>
<key>PayloadIdentifier</key>
<string>com.f5.access.macos.perapp.vpn.appmapping</string>
<key>PayloadOrganization</key>
<string/>
<key>PayloadType</key>
<string>com.apple.vpn.managed.appmapping</string>
<key>PayloadUUID</key>
<string>6B015006-D559-4C5C-B197-737CF4DCFA96</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>AppLayerVPNMapping</key>
<array>
<dict>
<key>Identifier</key>
<string>com.google.Chrome</string>
<key>VPNUUID</key>
<string>6A015006-D559-4C5C-B197-737CF4DCFA96</string>
<key>SigningIdentifier</key>
<string>com.google.Chrome</string>
<key>DesignatedRequirement</key>
<string>(identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")</string>
</dict>
<dict>
<key>Identifier</key>
<string>org.mozilla.firefox</string>
<key>VPNUUID</key>
<string>6A015006-D559-4C5C-B197-737CF4DCFA96</string>
<key>SigningIdentifier</key>
<string>org.mozilla.firefox</string>
<key>DesignatedRequirement</key>
<string>anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"</string>
</dict>
</array>
</dict>
<dict>
<key>PayloadType</key>
<string>com.apple.vpn.managed.applayer</string>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (Per-App VPN App Mapping)</string>
<key>PayloadIdentifier</key>
<string>com.f5.access.macos.perapp.vpn.vpn</string>
<key>PayloadOrganization</key>
<string/>
<key>PayloadUUID</key>
<string>5A015006-D559-4C5C-B197-737CF4DCFA96</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict/>
<key>UserDefinedName</key>
<string>App Mapping</string>
<key>VPN</key>
<dict>
<key>AuthName</key>
<string>test</string>
<key>AuthPassword</key>
<string>test</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>RemoteAddress</key>
<string>https://portal.example.com</string>
<key>OnDemandMatchAppEnabled</key>
<true/>
<key>ProviderType</key>
<string>packet-tunnel</string>
<key>ProviderBundleIdentifier</key>
<string>com.f5.access.macos.PacketTunnel</string>
</dict>
<key>VPNSubType</key>
<string>com.f5.access.macos</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict/>
<key>VPNUUID</key>
<string>6A015006-D559-4C5C-B197-737CF4DCFA96</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>PerApp VPN Payload TCP Test</string>
<key>PayloadDisplayName</key>
<string>MDM - Per-App VPN TCP</string>
<key>PayloadIdentifier</key>
<string>com.f5.access.macos.perapp.vpn</string>
<key>PayloadOrganization</key>
<string/>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>06A850CC-BC81-43FB-AA16-42BE472D2421</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
When saved in a .mobileconfig (sorry I do not know which kind of file extension is appropriate for a macOS config profile so I used the iOS extension) profile, and double clicking on it, macOS properly says that the config profile is available for install in System Preferences -> Profiles. When I go there, I can install the profile, although it is not signed, and I can see that for example Google Chrome loses Internet connectivity since the config file contains many placeholders. But I believe this means that the config file is doing its job, and the system simply does not find the relevant VPN network configuration. My next step would be to fill the data with actual Ike2 credentials etc. but my end goal is to use this Per App VPN with a custom VPN protocol (Wireguard) that my application supports in its network extension appex, using a custom tunnel provider. I really have no clue on how to configure the config profile for this Scenario, so I was hoping somebody could bring me in the right direction. Thanks for any help.

How to make App-to-Per-App VPN work on MAC OSX?

I'm attempting to learn more about the NEAppProxyProvider since I am trying to develop a mac OSX per app vpn.
What have been achieved is that the app proxy could be started and with SafariDomains setting the stream from Safari could be captured by handleNewFlow in AppProxyProvider. Now I'm trying to capture some other flow from specified apps with com.apple.vpn.managed.appmapping set in the profile. But after install the profile there is only one settings shown in Profiles. I've googled around trying to find an example or template of the profile but get nothing helpful. Please help me with checking the following profile to see if there are any problems in it.
Here's the profile which include two dicts in the array. The first dict works with Safari flow. The second dict is for per-app vpn but it seems can not be installed correctly and does not work. The SafariDomains part has been removed since I learned from apple developer forums that SafariDomains can not work with app mapping together.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.applayer.330FBB83-639F-4F9E-9FA1-4FAC93E18B68</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed.applayer</string>
<key>PayloadUUID</key>
<string>330FBB83-639F-4F9E-9FA1-4FAC93E18B68</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>appmapping</string>
<key>VPN</key>
<dict>
<key>AuthName</key>
<string>somebody</string>
<key>AuthPassword</key>
<string>opendoor</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>ProviderBundleIdentifier</key>
<string>com.blob.macappproxy.macappproxy</string>
<key>ProviderType</key>
<string>app-proxy</string>
<key>RemoteAddress</key>
<string>127.0.0.1</string>
</dict>
<key>VPNSubType</key>
<string>com.blob.macappproxy</string>
<key>VPNType</key>
<string>VPN</string>
<key>OnDemandMatchAppEnabled</key>
<integer>1</integer>
<key>VendorConfig</key>
<dict/>
<key>VPNUUID</key>
<string>3D7A07D8-97D0-4E5A-BB04-1EB82DD12A35</string>
</dict>
<dict>
<key>PayloadDescription</key>
<string>Configures Per APP VPN mapping</string>
<key>PayloadDisplayName</key>
<string>Per APP VPN mapping</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.appmapping.A88E1A77-2CC2-4BF9-879C-97C3DF491EB2</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed.appmapping</string>
<key>PayloadUUID</key>
<string>A88E1A77-2CC2-4BF9-879C-97C3DF491EB2</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>perappvpn</string>
<key>AppLayerVPNMapping</key>
<array>
<dict>
<key>Identifier</key>
<string>com.google.Chrome</string>
<key>VPNUUID</key>
<string>3D7A07D8-97D0-4E5A-BB04-1EB82DD12A35</string>
<key>DesignatedRequirement</key>
<string>(identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a"</string>
<key>SigningIdentifier</key>
<string>com.google.Chrome</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>some app proxy</string>
<key>PayloadIdentifier</key>
<string>blob-MacBook-Pro.A953E629-CD95-45B4-A42D-ECA2BA870A79</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>1AEA709E-46D3-4293-B1E3-23EB8DD5B361</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
How should it be modified to let the specified application's network flow be captured in appproxyprovider's handleNewFlow method? Or can someone please paste a workable profile?

ios 11 - swift 3 - insecure ssl

i keep sending get requests via alaomfire with those settings:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>domain.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowInsecureHTTPSLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSThirdPartyExceptionAllowInsecureHTTPSLoads</key>
<true/>
</dict>
</dict>
</dict>
But i still get:
An SSL error has occurred and a secure connection to the server cannot be made
Could anybody explain this issue to me?
Thanks and Greetings!

Distributing a mobileconfig file over the web

I am dynamically generating (in a PHP script) a .mobileconfig file for iOS devices and then serve it over the web. I am delivering the file with the application/x-apple-aspen-config content type and with Content disposition as attachment;filename=myprofile.mobileconfig.
My problem is I keep getting an error that says: Safari could not install a profile due to an unknown error. What am I doing wrong? See the mobileconfig file below:
$content = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>DefaultsData</key>
<dict>
<key>apns</key>
<array>
<dict>
<key>apn</key>
<string>$apnName</string>
<key>password</key>
<string>$password</string>
<key>proxy</key>
<string></string>
<key>proxyPort</key>
<integer></integer>
<key>username</key>
<string>$userName</string>
</dict>
</array>
</dict>
<key>DefaultsDomainName</key>
<string>com.apple.managedCarrier</string>
</dict>
</array>
<key>PayloadDescription</key>
<string><removed before posting here></string>
<key>PayloadDisplayName</key>
<string><removed before posting here></string>
<key>PayloadIdentifier</key>
<string><removed before posting here></string>
<key>PayloadOrganization</key>
<string><removed before posting here></string>
<key>PayloadType</key>
<string>com.apple.apn.managed</string>
<key>PayloadUUID</key>
<string>8B9A29CC-7C6E-4E32-B4AD-18ED3FDDB64D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string><removed before posting here></string>
<key>PayloadDisplayName</key>
<string><removed before posting here></string>
<key>PayloadIdentifier</key>
<string><removed before posting here></string>
<key>PayloadOrganization</key>
<string><removed before posting here></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>975760AB-9CCE-4496-9D2F-04FD605DDBB9</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>";
I am getting this issue both in the simulator and iPhone 3G and iPhone 4 devices.
The problem is that although proxy and proxyPort are optional, if proxyPort is included and is null, as in my xml then the profile won't install and will throw that annoying error. The solution is to remove it if it's not necessary.