iOS NSAppTransportSecurity

[phoenixbox]

Hey there,

Im getting a networking error when trying to upload to S3 from my react-native app running on my device.

Error

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)

From Googling around there are suggestions to add the AWS domains to the NSExceptionDomains in the info.plist. Ive tried the following xml in the plist but am still experiencing the same issue.

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
  <key>NSExceptionDomains</key>
  <dict>
    <key>amazonaws.com</key>
    <dict>
      <key>NSThirdPartyExceptionMinimumTLSVersion</key>
      <string>TLSv1.0</string>
      <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
      <false/>
      <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
      <false/>
      <key>NSTemporaryExceptionMinimumTLSVersion</key>
      <string>1.0</string>
      <key>NSIncludesSubdomains</key>
      <true/>
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
      <true/>
    </dict>
    <key>amazonaws.com.cn</key>
    <dict>
      <key>NSThirdPartyExceptionMinimumTLSVersion</key>
      <string>TLSv1.0</string>
      <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
      <false/>
      <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
      <false/>
      <key>NSTemporaryExceptionMinimumTLSVersion</key>
      <string>1.0</string>
      <key>NSIncludesSubdomains</key>
      <true/>
    </dict>
  </dict>
</dict>

What NSAppTransportSecurity do you use for uploading to S3?

[benjreinhart]

Thanks for the issue...

What version of RN are you using and how old is your RN app (issue I linked below looks like it had issues with older versions of RN)?

My app's NSAppTransportSecurity key in my info.plist file is empty.

<key>NSAppTransportSecurity</key>

I did see this issue on a quick google search, looks like some other people have some solutions for something similar.

If you find a fix, can you post what worked for you on this thread for anyone else who might encounter it?

[phoenixbox]

@benjreinhart Hey 👋 there, Im on react-native 0.29

so I tried again, when NSAppTransportSecurity is empty then the Simulator cant connect to localhost so I added the selected fix to the info.plist which is

    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>localhost</key>
            <dict>
                <key>NSTemporaryExceptionAllowsInsecureHTTPSLoads</key>
                <false/>            
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>1.0</string>
                <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
        </dict>
    </dict> 

When using that and the sample code, the error persists:

 NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

Not sure whats going on 😟

Do you happen to have a public repo RN app which uses your lib that you could share? I could clone and see if I can get to work on my local machine?

[phoenixbox]

@benjreinhart so I fixed the issued I was experiencing.

This error:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

Was due to an untrusted local react-native server development certificate:

The certificate for this server is invalid. You might be connecting to a server that is pretending to be “${YOUR_BUCKET_NAME}.s3.amazonaws.com” which could put your confidential information at risk.

To which there is an advised:

• hotfix source and a
• production fix source

Solution Repo

• I made a new app to confirm the hotfix.
• It can be found here https://github.com/phoenixbox/ReactNativeS3
• I documented how it can be used with S3 creds and the two solution paths

[benjreinhart]

@phoenixbox very nice, thank you for the detailed follow up!

[jomaint]

@phoenixbox Did you try the production source fix? Any idea how to get react-native calling S3, to work on IOS simulator? Im having a hard time understanding the stackoverflow post.

[phoenixbox]

Hey @jomaint, try updating the RCTHTTPRequestHandler.m with the snippet below. I modified how the request challenge is handled by making the change at line:85 #pragma mark - NSURLSession delegate of RCTHTTPRequestHandler.m.

- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
{
  completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
}

As for using a real certificate for development, I can't say I know how to make that work. I just used this workaround for local development. Removed it for production builds on devices, and it works

[jomaint]

@phoenixbox Thanks for your response! I’ll give a go and see how it goes