[Trunk 1.83] - OXZ List Update Failure on OSX 10.11 #170

Closed
AnotherCommander opened this Issue Oct 17, 2015 · 7 comments

Comments

Projects
None yet
3 participants
@AnotherCommander
Member

AnotherCommander commented Oct 17, 2015

As per bug report by user Venator Dha on the forums ( http://www.aegidian.org/bb/viewtopic.php?p=243633#p243633 ), attempting to update the OXZ list from the in-game manager fails with nightly build versions 1.83-151002, 1.83-150924 and 1.83-150918, while it works with trunk version 1.83-150908 or earlier.

Error message reported in the log:

16:07:38.188 [oxz.manager.error]: Error downloading file: Error Domain=NSURLErrorDomain 
Code=-1022 "The resource could not be loaded because the App Transport Security policy requires 
the use of a secure connection." UserInfo={NSUnderlyingError=0x106e75e30 {Error 
Domain=kCFErrorDomainCFNetwork Code=-1022 "The resource could not be loaded because the 
App Transport Security policy requires the use of a secure connection." UserInfo=
{NSErrorFailingURLStringKey=http://addons.oolite.org/api/1.0/overview, NSLocalizedDescription=The 
resource could not be loaded because the App Transport Security policy requires the use of a 
secure connection., NSErrorFailingURLKey=http://addons.oolite.org/api/1.0/overview}}, 
NSErrorFailingURLStringKey=http://addons.oolite.org/api/1.0/overview, 
NSErrorFailingURLKey=http://addons.oolite.org/api/1.0/overview, NSLocalizedDescription=The 
resource could not be loaded because the App Transport Security policy requires the use of a 
secure connection.}

User Venator Dha reports recent update of OS to version 10.11. System specs as appear on game log:

Opening log for Oolite development version 1.83-151002 (x86-64 test release) under Mac OS X Version 10.11 (Build 15A284) at 2015-10-17 13:17:15 +0000.
Machine type: MacBookAir6,2, 8192 MiB memory, 2 (4 logical) x x86 (Haswell) @ 1300 MHz.
Build options: OpenAL, new planets, JavaScript console support, Debug plug-in support, OXP verifier, localization tools, debug GraphViz support, JavaScript profiling.
@MaddTheSane

This comment has been minimized.

Show comment
Hide comment
@MaddTheSane

MaddTheSane Oct 17, 2015

Contributor

Apple wants you to use https. There is a way to add an exclusion for specific domains in the info.plist file.

Sent from my iPhone

On Oct 17, 2015, at 8:57 AM, AnotherCommander notifications@github.com wrote:

As per bug report by user Venator Dha on the forums ( http://www.aegidian.org/bb/viewtopic.php?p=243633#p243633 ), attempting to update the OXZ list from the in-game manager fails with nightly build versions 1.83-151002, 1.83-150924 and 1.83-150918, while it works with trunk version 1.83-150908 or earlier.

Error message reported in the log:

16:07:38.188 [oxz.manager.error]: Error downloading file: Error Domain=NSURLErrorDomain
Code=-1022 "The resource could not be loaded because the App Transport Security policy requires
the use of a secure connection." UserInfo={NSUnderlyingError=0x106e75e30 {Error
Domain=kCFErrorDomainCFNetwork Code=-1022 "The resource could not be loaded because the
App Transport Security policy requires the use of a secure connection." UserInfo=
{NSErrorFailingURLStringKey=http://addons.oolite.org/api/1.0/overview, NSLocalizedDescription=The
resource could not be loaded because the App Transport Security policy requires the use of a
secure connection., NSErrorFailingURLKey=http://addons.oolite.org/api/1.0/overview}},
NSErrorFailingURLStringKey=http://addons.oolite.org/api/1.0/overview,
NSErrorFailingURLKey=http://addons.oolite.org/api/1.0/overview, NSLocalizedDescription=The
resource could not be loaded because the App Transport Security policy requires the use of a
secure connection.}
User Venator Dha reports recent update of OS to version 10.11. System specs as appear on game log:

Opening log for Oolite development version 1.83-151002 (x86-64 test release) under Mac OS X Version 10.11 (Build 15A284) at 2015-10-17 13:17:15 +0000.
Machine type: MacBookAir6,2, 8192 MiB memory, 2 (4 logical) x x86 (Haswell) @ 1300 MHz.
Build options: OpenAL, new planets, JavaScript console support, Debug plug-in support, OXP verifier, localization tools, debug GraphViz support, JavaScript profiling.

Reply to this email directly or view it on GitHub.

Contributor

MaddTheSane commented Oct 17, 2015

Apple wants you to use https. There is a way to add an exclusion for specific domains in the info.plist file.

Sent from my iPhone

On Oct 17, 2015, at 8:57 AM, AnotherCommander notifications@github.com wrote:

As per bug report by user Venator Dha on the forums ( http://www.aegidian.org/bb/viewtopic.php?p=243633#p243633 ), attempting to update the OXZ list from the in-game manager fails with nightly build versions 1.83-151002, 1.83-150924 and 1.83-150918, while it works with trunk version 1.83-150908 or earlier.

Error message reported in the log:

16:07:38.188 [oxz.manager.error]: Error downloading file: Error Domain=NSURLErrorDomain
Code=-1022 "The resource could not be loaded because the App Transport Security policy requires
the use of a secure connection." UserInfo={NSUnderlyingError=0x106e75e30 {Error
Domain=kCFErrorDomainCFNetwork Code=-1022 "The resource could not be loaded because the
App Transport Security policy requires the use of a secure connection." UserInfo=
{NSErrorFailingURLStringKey=http://addons.oolite.org/api/1.0/overview, NSLocalizedDescription=The
resource could not be loaded because the App Transport Security policy requires the use of a
secure connection., NSErrorFailingURLKey=http://addons.oolite.org/api/1.0/overview}},
NSErrorFailingURLStringKey=http://addons.oolite.org/api/1.0/overview,
NSErrorFailingURLKey=http://addons.oolite.org/api/1.0/overview, NSLocalizedDescription=The
resource could not be loaded because the App Transport Security policy requires the use of a
secure connection.}
User Venator Dha reports recent update of OS to version 10.11. System specs as appear on game log:

Opening log for Oolite development version 1.83-151002 (x86-64 test release) under Mac OS X Version 10.11 (Build 15A284) at 2015-10-17 13:17:15 +0000.
Machine type: MacBookAir6,2, 8192 MiB memory, 2 (4 logical) x x86 (Haswell) @ 1300 MHz.
Build options: OpenAL, new planets, JavaScript console support, Debug plug-in support, OXP verifier, localization tools, debug GraphViz support, JavaScript profiling.

Reply to this email directly or view it on GitHub.

@AnotherCommander

This comment has been minimized.

Show comment
Hide comment
@AnotherCommander

AnotherCommander Oct 17, 2015

Member

Apparently, entering the below inside info-Oolite.plist fixes it. However, it would be best to hear from the Mac guys, since using this solution may be against Apple's wishes. See:http://stackoverflow.com/questions/30731785/how-do-i-load-an-http-url-with-app-transport-security-enabled-in-ios-9

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>
Member

AnotherCommander commented Oct 17, 2015

Apparently, entering the below inside info-Oolite.plist fixes it. However, it would be best to hear from the Mac guys, since using this solution may be against Apple's wishes. See:http://stackoverflow.com/questions/30731785/how-do-i-load-an-http-url-with-app-transport-security-enabled-in-ios-9

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>
@JensAyton

This comment has been minimized.

Show comment
Hide comment
@JensAyton

JensAyton Oct 18, 2015

Member

I wasn’t even aware this was an issue on OS X. NSAllowsArbitraryLoads will probably work more or less indefinitely for a Mac app outside the App Store. However, downloading unsigned scripts over unsecured HTTP is a security issue that should be considered.

Member

JensAyton commented Oct 18, 2015

I wasn’t even aware this was an issue on OS X. NSAllowsArbitraryLoads will probably work more or less indefinitely for a Mac app outside the App Store. However, downloading unsigned scripts over unsecured HTTP is a security issue that should be considered.

@AnotherCommander

This comment has been minimized.

Show comment
Hide comment
@AnotherCommander

AnotherCommander Oct 18, 2015

Member

The stackoverflow.com link posted earlier contains also another construct, which is supposedly more kosher:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <false/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <false/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
            <false/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSRequiresCertificateTransparency</key>
            <false/>
        </dict>
    </dict>
</dict>

If we were to use this (more specifically, the NSExceptionAllowsInsecureHTTPLoads or NSThirdPartyExceptionAllowsInsecureHTTPLoads part), would that be a preferrable solution?

Member

AnotherCommander commented Oct 18, 2015

The stackoverflow.com link posted earlier contains also another construct, which is supposedly more kosher:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <false/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <false/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
            <false/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSRequiresCertificateTransparency</key>
            <false/>
        </dict>
    </dict>
</dict>

If we were to use this (more specifically, the NSExceptionAllowsInsecureHTTPLoads or NSThirdPartyExceptionAllowsInsecureHTTPLoads part), would that be a preferrable solution?

@MaddTheSane

This comment has been minimized.

Show comment
Hide comment
@MaddTheSane

MaddTheSane Oct 18, 2015

Contributor

I'm fairly certain that NSAppTransportSecurity is an issue for apps linked against the OS X 10.11 and iOS 9 and later SDKs, regardless of if they're on either App Store.

Sent from my iPhone

On Oct 18, 2015, at 5:33 AM, AnotherCommander notifications@github.com wrote:

The stackoverflow.com link posted earlier contains also another construct, which is supposedly more kosher:

NSAppTransportSecurity

NSExceptionDomains

testdomain.com

NSIncludesSubdomains

NSExceptionAllowsInsecureHTTPLoads

NSExceptionRequiresForwardSecrecy

NSExceptionMinimumTLSVersion
TLSv1.2
NSThirdPartyExceptionAllowsInsecureHTTPLoads

NSThirdPartyExceptionRequiresForwardSecrecy

NSThirdPartyExceptionMinimumTLSVersion
TLSv1.2
NSRequiresCertificateTransparency




If we were to use this (more specifically, the NSExceptionAllowsInsecureHTTPLoads or SThirdPartyExceptionAllowsInsecureHTTPLoads part), would that be a preferrable solution?


Reply to this email directly or view it on GitHub.

Contributor

MaddTheSane commented Oct 18, 2015

I'm fairly certain that NSAppTransportSecurity is an issue for apps linked against the OS X 10.11 and iOS 9 and later SDKs, regardless of if they're on either App Store.

Sent from my iPhone

On Oct 18, 2015, at 5:33 AM, AnotherCommander notifications@github.com wrote:

The stackoverflow.com link posted earlier contains also another construct, which is supposedly more kosher:

NSAppTransportSecurity

NSExceptionDomains

testdomain.com

NSIncludesSubdomains

NSExceptionAllowsInsecureHTTPLoads

NSExceptionRequiresForwardSecrecy

NSExceptionMinimumTLSVersion
TLSv1.2
NSThirdPartyExceptionAllowsInsecureHTTPLoads

NSThirdPartyExceptionRequiresForwardSecrecy

NSThirdPartyExceptionMinimumTLSVersion
TLSv1.2
NSRequiresCertificateTransparency




If we were to use this (more specifically, the NSExceptionAllowsInsecureHTTPLoads or SThirdPartyExceptionAllowsInsecureHTTPLoads part), would that be a preferrable solution?


Reply to this email directly or view it on GitHub.

@JensAyton

This comment has been minimized.

Show comment
Hide comment
@JensAyton

JensAyton Oct 20, 2015

Member

@AnotherCommander That would let you download the list of OXPs, but the OXPs themselves are hosted on arbitrary unsecured HTTP servers (which is, y’know, bad) and would also be blocked.

Member

JensAyton commented Oct 20, 2015

@AnotherCommander That would let you download the list of OXPs, but the OXPs themselves are hosted on arbitrary unsecured HTTP servers (which is, y’know, bad) and would also be blocked.

@AnotherCommander

This comment has been minimized.

Show comment
Hide comment
@AnotherCommander

AnotherCommander Sep 25, 2016

Member

Non-HTTPS OXP downloads on Mac OSX 10.11 and later allowed with commit eef1280. Issue closed.

Member

AnotherCommander commented Sep 25, 2016

Non-HTTPS OXP downloads on Mac OSX 10.11 and later allowed with commit eef1280. Issue closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment