NSRequiresCertificateTransparency = YES makes https fail in iOS 9 simulator

Question

I'm trying to enable NSRequiresCertificateTransparency flag from App Transport Security for my ios app to achieve better security. I tested and it works fine on my device having iOS 10 and in simulator with iOS 10. But it makes https connections fail in simulator with iOS 9.3. If I just turn off this particular flag, it becomes working again.

The problem is not in server I connect to, because I was able to reproduce it even with www.apple.com. Here is the settings from Info.plist that I use:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.apple.com</key>
        <dict>
            <key>NSRequiresCertificateTransparency</key>
            <true/>
        </dict>
    </dict>
</dict>

And here is the code:

NSURLSessionDataTask *task = [[NSURLSession sharedSession] dataTaskWithURL:[NSURL URLWithString:@"https://www.apple.com/"] completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) {
    if (error) {
        NSLog(@"fail");
    }
}];
[task resume];

The error I see in log is: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

Maybe it happens only in simulator with iOS 9? Unfortunately I don't have device with iOS 9 at hand to test it.

UPDATE:

I don't see anything helpful in log after setting CFNETWORK_DIAGNOSTICS=3 env variable. Here is part where it says about error:

    Response Error
    Request: <CFURLRequest 0x7f8d0f668d00 [0x108314a40]> {url = https://www.apple.com/, cs = 0x0}
      Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7f8d0f590a80>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7f8d0f50dfb0 [0x108314a40]>{type = immutable, count = 2, values = (
                0 : <cert(0x7f8d0f66ef10) s: www.apple.com i: Symantec Class 3 EV SSL CA - G3>
                1 : <cert(0x7f8d0f637e60) s: Symantec Class 3 EV SSL CA - G3 i: VeriSign Class 3 Public Primary Certification Authority - G5>
             )}}
    } [3:22]
Jan 31 17:09:13  test2[34612] <Notice>: CFNetwork Diagnostics [3:23] 17:09:13.125 {
               Did Fail
                 Loader: <CFURLRequest 0x7f8d0f737670 [0x108314a40]> {url = https://www.apple.com/, cs = 0x0}
                  Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7f8d0f590a80>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7f8d0f50dfb0 [0x108314a40]>{type = immutable, count = 2, values = (
                            0 : <cert(0x7f8d0f66ef10) s: www.apple.com i: Symantec Class 3 EV SSL CA - G3>
                            1 : <cert(0x7f8d0f637e60) s: Symantec Class 3 EV SSL CA - G3 i: VeriSign Class 3 Public Primary Certification Authority - G5>
                         )}}
    init to origin load: 0.00299901s
             total time: 0.156503s
            total bytes: 0
    } [3:23]

UPDATE 2:

Here is the view of error object in the debugger.

Answer 1

The NSRequiresCertificateTransparency key was introduced in iOS 10, so I'm not sure why this would be failing. It is definitely not failing because of Certificate Transparency, since iOS9 wouldn't check it, but iOS 10 would (since iOS 10 understands the NSRequiresCertificateTransparency key).

I did confirm that this fails on physical devices running iOS 9. But it doesn't fail for all servers. www.google.com, for example, works on iOS 9 in the simulator and physical devices.

I would recommend turning on ATS verbose network logging to determine if the SSL failure is caused by your ATS configuration or if something else is failing. See details of how to turn on verbose logging here. I suspect there is another error that is causing the SSL error.

Also, delete all your entries related to App Transport Security from your info.plist and see if it works in iOS 9. At least eliminate the setting as the root cause.

The only other thing I can think is that iOS9 is confused by the fact that you have an exception domain with no valid (as far as iOS 9 is concerned) keys underneath it, although I doubt this is it. Maybe add an NSAllowsArbitraryLoads key with a value of false in under your apple.com exception domain entry.

I would recommend turning the flag off until you no longer need to support iOS 9 devices.