Ability to turn off NSExceptionRequiresForwardSecrecy for all domains.
| Originator: | nartiles | ||
| Number: | rdar://27847152 | Date Originated: | 8/15/2016 |
| Status: | Open | Resolved: | |
| Product: | iOS | Product Version: | |
| Classification: | Enhancement | Reproducible: |
Area: NSURL Summary: The current mechanism for App Transport Security requires that either: 1. NSExceptionRequiresForwardSecrecy can be turned OFF on a domain by domain basis, or 2. if we set NSAllowsArbitraryLoads to YES, we can then turn ON NSExceptionRequiresForwardSecrecy on a domain by domain basis. This enhancement request is to allow all ATS features to remain on (i.e. NSAllowsArbitraryLoads set to NO) but allow a global NSExceptionRequiresForwardSecrecy flag to disable PFS (i.e. Perfect Forward Secrecy) for all domains. Our app Desk.com (from Salesforce) hosts the support domains for many different clients. Some of our clients use GoDaddy certificates which fail PFS requirement. We cannot statically list all these domains the the plist of our app because the list of domains that require the exception can dynamically change. We need a way to disable PFS for all domains that our accessed through our Desk.com app. Steps to Reproduce: Set NSExceptionRequiresForwardSecrecy = OFF at the top level NSAppTransportSecurity dictionary. Not under a domain. Expected Results: Perfect Forward Secrecy is disabled for all domains but secure https and minimum TLS 1.2 is still enforced. Actual Results: Perfect Forward Secrecy is not disabled for all domains. Version: iOS 9.0 or later Notes: Configuration: All iOS devices running iOS 9.0 or later. Attachments:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!