iOS 9 SSL Security Support

[talkaboutdesign]

Please update framework to support latest iOS security measures in iOS 9.

[nlutsenko]

Hey @talkaboutdesign,
If you meant iOS 9 TLS 1.2 and SHA256 requirement - we already support that.
Or you were referring to something else?

[talkaboutdesign]

Right I tested calling a simple query and would get errors back. Is this fixed with 1.8.0?

[richardjrossiii]

Yes. We have switched in 1.8.0 to use NSURLSession (see PFURLSession.m for the gory details), and have recently changed our backend (http://blog.parse.com/announcements/moving-parse-apps-to-the-more-secure-sha-2-industry-standard/) to use SHA-256 certificates. As far as we are aware, we are fully ready for the changes with app transport security in iOS 9, aside from PFFile support (those are still using HTTP currently).

[talkaboutdesign]

Great. Thanks.

[jeroenleenarts]

As Richard indicates. PFFiles do not work with App Transport Security. The objects are loaded fine, but the URLs are hosted on Amazon's CDN with a custom domain names "parsetfss.com". Domain name does not match with amazon's SSL cert for "*.s3.amazonaws.com".

Any timeline of this?

[jeroenleenarts]

Adding this to you info.plist should allow things to work for now. Or are there other domains involved as well?

    <key>NSExceptionDomains</key>
    <dict>
        <key>files.parsetfss.com</key>
        <dict>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>

[nlutsenko]

@jeroenleenarts As @richardjrossiii mentioned previously that we are aware that PFFiles are still using http for downloads, and yes indeed adding files.parsetfss.com to the list of exceptions in your Info.plist fixes the problem for now (we are not using any other domains at the moment).

We are working on getting you SSL for files before iOS 9 goes out publicly, or even before we see the GM this year. I am going to open another issue specifically for tracking PFFile support.

[nlutsenko]

@jeroenleenarts #12 is created for PFFile secure connection support, let's use that one for tracking it.

[ghost]

Hello
I added the headers of the brand new Parse 1.8.4 library to my iOS9 app, but the security messages keep on appearing:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

Did I miss something ?
Thanks
Fred

[nlutsenko]

Hmm... This sounds strange.
Can you double check that the file is actually being downloaded through https?
It passes and works great for me locally, but maybe some of your files are referencing an old domain that we didn't handle.

If you could paste just the domain name for the files that you have trouble downloading that would be super helpful as well.

[ghost]

In fact this happens when I do

query.findObjectsInBackgroundWithBlock

That’s a simple query, I’m not downloading anything manually.

Just to check, I downloaded the latest version of the SDK, removed the previous parse framworks (Parse, ParseUI, ParseCrashReporting, ParseFacebookUtilsV4, Bolts) and replaced them by their new version. Is there an issue doing like that ?

Thanks
Frederic

Le 17 sept. 2015 à 10:33, Nikita Lutsenko notifications@github.com a écrit :

Hmm... This sounds strange.
Can you double check that the file is actually being downloaded through https?
It passes and works great for me locally, but maybe some of your files are referencing an old domain that we didn't handle.

If you could paste just the domain name for the files that you have trouble downloading that would be super helpful as well.

—
Reply to this email directly or view it on GitHub #3 (comment).

[nlutsenko]

Nope, should just automatically work.
We are using the SHA-2 Signed certificate and api.parse.com has TLS 1.2 enabled, so it should simply automatically just work.
Any chance you can tests on a different network? Say by using cellular data on the phone?

[ghost]

Ah, I updated the Facebook SDK and added these :

NSAppTransportSecurity

NSExceptionDomains

facebook.com

NSIncludesSubdomains

NSExceptionRequiresForwardSecrecy


fbcdn.net

NSIncludesSubdomains

NSExceptionRequiresForwardSecrecy


akamaihd.net

NSIncludesSubdomains

NSExceptionRequiresForwardSecrecy

<key>LSApplicationQueriesSchemes</key>
<array>
    <string>fbapi</string>
    <string>fb-messenger-api</string>
    <string>fbauth2</string>
    <string>fbshareextension</string>
</array>

Now it works fine … maybe it was the FacebookSDK, not Parse.

Thanks !
Fred

Le 17 sept. 2015 à 10:42, Nikita Lutsenko notifications@github.com a écrit :

Nope, should just automatically work.
We are using the SHA-2 Signed certificate and api.parse.com has TLS 1.2 enabled, so it should simply automatically just work.
Any chance you can tests on a different network? Say by using cellular data on the phone?

—
Reply to this email directly or view it on GitHub #3 (comment).