NSURLSession/NSURLConnection HTTP Load Failed on iOS 9: Solutions for ATS and TLS 1.2 Adaptation

Keywords: iOS 9 | ATS | TLS 1.2 | NSURLSession | HTTP Load Failure

Abstract: This article delves into the NSURLSession/NSURLConnection HTTP load failure issues caused by the App Transport Security (ATS) mechanism introduced in iOS 9. By analyzing the root causes of error code -999 and SSL handshake failure (-9824), it details ATS's mandatory HTTPS and TLS 1.2 requirements. The article presents two main solutions: a temporary workaround to globally disable ATS, and fine-grained configuration for specific domains, including allowing insecure HTTP loads and setting minimum TLS versions. It emphasizes the importance of these as transitional measures and encourages developers to ultimately upgrade servers to comply with best security practices.

Background and Error Analysis

In the iOS 9 environment, many existing applications encounter HTTP load failures when using NSURLSession or AFURLSessionManager for network requests. Typical errors include:

Error Domain=NSURLErrorDomain Code=-999 "cancelled"
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
CFNetwork SSLHandshake failed (-9824)

Error code -999 often indicates that the request was cancelled, while -9824 points to SSL handshake failure, directly related to the App Transport Security (ATS) mechanism introduced in iOS 9.

Core Requirements of ATS

ATS is a security enhancement in iOS 9 designed to improve network communication security by enforcing HTTPS and modern encryption protocols. According to Apple's official documentation, ATS defaults require:

All network connections must use HTTPS (not HTTP).
TLS 1.2 or higher must be used.
Forward secrecy must be supported.
Certificates must use SHA-256 or better hash algorithms.

If an app attempts to connect to servers that do not meet these requirements, ATS blocks the request, causing the aforementioned SSL errors. This is common when migrating old apps or connecting to legacy servers.

Solution 1: Globally Disable ATS (Temporary Workaround)

As a quick fix, developers can add the following configuration to the app's Info.plist file to allow arbitrary loads globally:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

This method is simple and effective but poses significant security risks as it completely bypasses ATS protections. Therefore, Apple and the community strongly recommend using this only as a temporary measure until the app or servers are upgraded to comply with ATS standards.

Solution 2: Fine-Grained Domain Exception Configuration

For cases requiring connections to specific legacy servers, a safer approach is to configure domain exceptions. For example, if a server YOURHOST.COM only supports TLS 1.0, set in Info.plist:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>YOURHOST.COM</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>1.0</string>
            <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
            <false/>
        </dict>
    </dict>
</dict>

This configuration allows insecure HTTP loads for YOURHOST.COM and its subdomains, relaxes the minimum TLS version to 1.0, and disables forward secrecy requirements. It balances compatibility and security but should also be considered a transitional solution.

Code Examples and Implementation Details

In AFNetworking or native NSURLSession, error handling needs to adapt to ATS changes. Below is an example using NSURLSessionDataTask, demonstrating how to capture and handle ATS-related errors:

__block NSURLSessionDataTask *task = [self.sessionManager dataTaskWithRequest:request completionHandler:^(NSURLResponse * __unused response, id responseObject, NSError *error) {
    if (error) {
        if (error.code == -999) {
            NSLog(@"Request may be blocked by ATS; check Info.plist configuration.");
        } else if (error.code == -9824) {
            NSLog(@"SSL handshake failed; server may not support TLS 1.2.");
        }
    } else {
        // Handle successful response
    }
}];
[task resume];

By judging error codes, developers can quickly identify ATS issues and guide users or logs to check configurations.

Best Practices and Long-Term Strategies

While the above configurations solve immediate problems, upgrading servers to support TLS 1.2 and HTTPS is the best long-term path. Apple encourages developers to fully adopt ATS to enhance overall app security. For scenarios where immediate upgrades are not possible, it is recommended to:

Use domain exceptions instead of global disabling to minimize security exposure.
Monitor and log usage of all exception domains to support migration plans.
Regularly review Info.plist configurations and remove unnecessary exceptions.

Community resources like iOS9AdaptationTips offer more adaptation advice, helping developers transition smoothly to the secure environment of iOS 9.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.