Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

iOS: SSL error - page not loading in WKWebView but loads in Safari

Tags:

ios

ssl

safari

wkwebview

In the app I'm working on, I need to handle 3-D Secure redirects from our payment service provider. These redirects point to a web page of the card issuer that is shown in a WKWebView to the user in the app.

This works all the time except one case where the WKWebView doesn't load for https://3dsecure.csas.cz/ and fails with the following error:

Error Domain=NSURLErrorDomain
Code=-1200
"An SSL error has occurred and a secure connection to the server cannot be made."

What's interesting is that the same URL loads with no problems in Safari or in SFSafariViewController. Even the server's certificate is okay:

Safari screenshot - certificate for 3dsecure.csas.cz

I've tried to play around with NSAppTransportSecurity settings in app's Info.plist file, specifically enable NSAllowsArbitraryLoadsInWebContent and NSAllowsArbitraryLoads but it does have no effect.

like image 718
Tom Kraina Avatar asked Mar 07 '17 10:03

Tom Kraina

1 Answers

Forward Secrecy

It turns out that the server for 3dsecure.csas.cz does not support Forward Secrecy: https://www.ssllabs.com/ssltest/analyze.html?d=3dsecure.csas.cz&s=194.50.240.77

Perfect forward secrecy is required by App Transport Security in iOS9 and above for all app connections, including webviews (not including Safari, however)

ATS Debugging

Running the following command in Terminal runs ATS diagnostics and tells more about the problem and how to solve it:

/usr/bin/nscurl --ats-diagnostics --verbose https://3dsecure.csas.cz

ATS Exception in the app

Allowing the webview in the app to connect to a specific server that does not support forward secrecy could be done by adding the following in the Info.plist file:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>3dsecure.csas.cz</key>
        <dict>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <false/>
        </dict>
    </dict>
</dict>

Not future-proof

This exception needs to be added for every single domain that does not support forward secrecy. Unfortunately, It's impossible to know all the 3-d secure servers in advance as they come as redirects from the payment provider.

What I don't know is if not requiring forward secrecy could be set for any domain, globally, and just within a specific webview, without affecting the whole app.

like image 114
Tom Kraina Avatar answered Nov 05 '22 01:11

Tom Kraina
Sign in to Comment

Related questions

Sending local notifications after the app has been terminated
String parameter in pluralized NSLocalizedString
UISearchController searchBar don't disappear when push viewcontroller
Swift - remove single backslash
Accessing array object via index causes -[_NSFaultingMutableSet objectAtIndex:]:
Access Private UIKit Function Without Using Bridging Header
Can UITableView scroll with UICollectionView inside it?
How to reduce the size of .ipa file
Open iCloud Drive in iOS app
Could not load NIB in bundle CocoaPods
How to set color `rightBarButtonItem` on navigation bar?
What are the system sound ids for the new keyboard clicks in iOS 10?
Code=-1001 "The request timed out."
@IBDesignable view doesn't draw background color inside Interface Builder
iOS App Rejected : non-public APIs
Firebase Notification not received on device when sent via cURL/PHP
Swift How to make links open in Webview?
SWIFT 3 - take out html tags from string taken from JSON web url
How do some websites play video inline in iOS Safari?
AVAudioSession error: Deactivating an audio session that has running I/O

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!