Radar fails at App Transport Security
| Originator: | danielctull | ||
| Number: | rdar://23937724 | Date Originated: | 17-Dec-2015 01:59 PM |
| Status: | Open | Resolved: | |
| Product: | Developer Tools | Product Version: | bugreport.apple.com |
| Classification: | Security | Reproducible: | Always |
Summary: When loading https://bugreport.apple.com the SSL certificate used does not comply with App Transport Security. It fails in at least the following ways: * It does not support Forward Secrecy * It only supports TLS v1.0 More details can be found at https://www.ssllabs.com/ssltest/analyze.html?d=bugreport.apple.com Steps to Reproduce: Run the following on the terminal: nscurl --ats-diagnostics https://bugreport.apple.com Expected Results: Default ATS Secure Connection --- ATS Default Connection Result : PASS --- Actual Results: ================================================================================ Default ATS Secure Connection --- ATS Default Connection 2015-12-17 13:45:58.944 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:45:58.945 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- ================================================================================ Allowing Arbitrary Loads --- Allow All Loads Result : PASS --- ================================================================================ Configuring TLS exceptions for bugreport.apple.com --- TLSv1.2 2015-12-17 13:46:00.789 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:46:00.789 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- --- TLSv1.1 2015-12-17 13:46:01.129 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:46:01.129 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- --- TLSv1.0 2015-12-17 13:46:01.473 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:46:01.474 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- ================================================================================ Configuring PFS exceptions for bugreport.apple.com --- Disabling Perfect Forward Secrecy 2015-12-17 13:46:01.818 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9801) 2015-12-17 13:46:01.819 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801) Result : FAIL --- ================================================================================ Configuring PFS exceptions and allowing insecure HTTP for bugreport.apple.com --- Disabling Perfect Forward Secrecy and Allowing Insecure HTTP 2015-12-17 13:46:02.158 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9801) 2015-12-17 13:46:02.501 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:46:02.862 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:46:02.863 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- ================================================================================ Configuring TLS exceptions with PFS disabled for bugreport.apple.com --- TLSv1.2 with PFS disabled 2015-12-17 13:46:03.221 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9801) 2015-12-17 13:46:03.222 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801) Result : FAIL --- --- TLSv1.1 with PFS disabled 2015-12-17 13:46:03.584 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9801) 2015-12-17 13:46:03.585 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801) Result : FAIL --- --- TLSv1.0 with PFS disabled 2015-12-17 13:46:04.687 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:46:04.687 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- ================================================================================ Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for bugreport.apple.com --- TLSv1.2 with PFS disabled and insecure HTTP allowed 2015-12-17 13:46:05.048 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9801) 2015-12-17 13:46:05.411 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:46:05.750 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:46:05.750 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- --- TLSv1.1 with PFS disabled and insecure HTTP allowed 2015-12-17 13:46:06.097 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9801) 2015-12-17 13:46:06.449 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:46:06.793 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:46:06.794 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- --- TLSv1.0 with PFS disabled and insecure HTTP allowed 2015-12-17 13:46:07.880 nscurl[30345:2703145] CFNetwork SSLHandshake failed (-9824) 2015-12-17 13:46:07.881 nscurl[30345:2703145] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- ================================================================================
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!