I have an application which uses NSUrlSessionUploadTask to deliver files to my server. This is an application that is expected to work on an intranet, so host-names are not known at compile time.
As such, my Info.plist enables arbitrary, insecure loads:
<key>NSAppTransportSecurity</key> <dict> <key>NSAllowArbitraryLoads</key> <true/> <key>NSAllowsInsecureHTTPLoads</key> <true/> </dict>
On my physical iOS device (iPhone 6 plus, iOS 9.0.2) - this works. On the simulator and physical devices running iOS 9.1, we get the following error.
The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.
I would gladly switch to using HTTPS (so long as I don't need an explicit domain exclusion in the plist, because this is an intranet app) - but we use self-signed certs to achieve SSL, which shouldn't be a problem - however I have the following code in my App to supposedly allow self-signed certs... and it doesn't fix the problem.
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback ( (srvPoint, certificate, chain, errors) => true );
public override void DidReceiveChallenge (NSUrlSession session, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler) { var authMethod = challenge.ProtectionSpace.AuthenticationMethod; if(authMethod == NSUrlProtectionSpace.AuthenticationMethodServerTrust.ToString()) { var tst = new NSUrlCredential(challenge.ProtectionSpace.ServerSecTrust); session.Configuration.URLCredentialStorage.SetCredential(tst, challenge.ProtectionSpace);//...URLCredentialStorage. NSUrlCredential credential = NSUrlCredential.FromTrust(challenge.ProtectionSpace.ServerSecTrust); completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, tst); } else completionHandler (NSUrlSessionAuthChallengeDisposition.PerformDefaultHandling, null); }