iOS 9 ATS - Disable Forward Secrecy for all domains

Question

With ATS enabled in iOS 9 many of my customers are unable to meet the forward secrecy requirement. They can however meet the https and TLS 1.2 requirements. Due to this I would like to relax the forward secrecy requirements whilst keeping the https and TLS 1.2 in place.

I was wondering if anyone has figured out a way to use NSExceptionRequiresForwardSecrecy or NSThirdPartyExceptionRequiresForwardSecrecy to disable forward secrecy for all domains.

I tried using * for NSExceptionDomains or *.com but when I used that the problem link did not work. When I use its domain.com then the problem link will load. I was looking at the Apple Docs on it but didn't see any way to achieve my goal.

Is it possible to just disable Forward secrecy for all domains sorta like you can completely disable ATS by setting NSAppTransportSecurity/NSAllowsArbitraryLoads to true?

Thanks!

Answer 1

Yes, it is possible. You probably have at least one domain you will certainly connect to. If it is not true, just try to use any reliable web site (google.com,facebook.com etc.). You should add NSExceptionDomains rule for this domain by specifying NSAppTransportSecurity configuration in following way:

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>google.com</key>   
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>                
                <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
        </dict>
    </dict>

FYI, facebook apps use the same configurations of NSAppTransportSecurity.

Answer 2

Its possible, Try following.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Even you can add specific exception,

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <false/>
            <key>NSExceptionAllowInsecureHTTPSLoads</key>
            <false/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowInsecureHTTPSLoads</key>
            <false/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSRequiresCertificateTransparency</key>
            <false/>
        </dict>

        ...

    </dict>
</dict>