iOS9 NSAppTransportSecurity with s3.amazon.com

Question

I'm testing an app in iOS9 and getting SSL errors with ATS loading images from amazon.com. All my stuff is being delivered over https but I'm still having issues.

I've added the correct ATS keys (worked on another app).

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>amazonaws.com</key>
        <dict>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

I've been all over the forums, adc, and SO and I'm not having any luck.

I've tried removing ATS entirely, and I still get the same error.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Error:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey={type = immutable, count = 3, values = ( 0 : 1 : 2 : )}, NSUnderlyingError=0x7ffe70e2c690 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, kCFStreamPropertySSLPeerCertificates={type = immutable, count = 3, values = ( 0 : 1 : 2 : )}, _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, _kCFStreamErrorCodeKey=-9802}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSErrorFailingURLStringKey=https://redacted.s3.amazonaws.com/14B78421-84F1-48D1-A8F4-73B688102EE7-21502-00003598C1B6C883_thumbnail.jpg, NSErrorClientCertificateStateKey=0}

Static files: AWS Amazon
Host: Heroku
Backend: Django
APIs: Django Rest Framework

I've tried every configuration I could find on ATS, cleaned/reset/rebuilt, modified the Django requests (originally they included querystring authentication), etc. I'm stumped on this and blocked.

Answer 1

I had to add amazonaws.com to Info.plist like you did and to user the SDWebImageAllowInvalidSSLCertificates as an option for the sd_setImageWithURL: method to get it working.

Answer 2

After I did a substring replace on https links -- I got the messages saying ATS was blocking them. I knew I had the correct keys in the Info.plist - so I figured it had to be another Info.plist somewhere.

It turns out that the there was an Info.plist in the resources but it wasn't doing anything. We had to add the ATS keys to the Info tab on the Target panel. Not 100% sure what the difference is on these two as I've always edited the Info.plist in the past.