Hi Matt! If I put this on .plist file it works on watchOS 7. Is this the correct way or there is another way to do this programmatically ?     <key>NSAppTransportSecurity</key>     <dict>       <key>NSExceptionDomains</key>       <dict>         <key><DOMAIN></key>         <dict>           <!--Include to allow subdomains-->           <key>NSIncludesSubdomains</key>           <true/>           <!--Include to allow HTTP requests-->           <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>           <true/>           <!--Include to specify minimum TLS version-->           <key>NSTemporaryExceptionMinimumTLSVersion</key>           <string>TLSv1.1</string>         </dict>       </dict>     </dict> Thank you again in advance. Best Regards.

Hi Matt, how are you doing? I asked the infrastructure team of the company and they told me that the certificate they are using on this particular site was incorrectly revoked by the CA, but they still uses it until all apps that connects to this server are updated to use the newer certificates... So, the message: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorClientCertificateStateKey=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,&#9;NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made. I guess it is correct, but the fact remains that why this message does not appear running on watchOS 6.2.8 but appear when running under the watchOS 7 (final version). Also do you know how can I force it to connect programmatically bypassing this message on watchOS 7? Thank you in advance for your kind support. Best Regards, Marcus.

Hi Matt, What I do not understand yet is that running on watchOS 6 the code runs OK and connects to the server. If I do it under whatchOS 7 beta it gives me the following error: PDTask <C109A177-0F66-4F87-876E-F5C104CC47BD>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorClientCertificateStateKey=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataPDTask <C109A177-0F66-4F87-876E-F5C104CC47BD>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=("LocalDataPDTask <C109A177-0F66-4F87-876E-F5C104CC47BD>.<1>",     "LocalDataTask <C109A177-0F66-4F87-876E-F5C104CC47BD>.<1>"), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802} What my code does is to save locally in the "fingerprints" array the "Fingerprint SHA256" of the server certificate and at runtime, obtain the server certificate, generate the SHA256 fingerprint and compare it to what I have saved on that variable. And it works OK. What I would also like to know if there is a need to put some kind of key in a .plist or something... If you discover that something need to be put there I would appreciate. I will follow your advice and continue my tests and wait for the final release. If I discover something or your discover something, please lets use this thread. Thank you again so much for your kind support.  Best Regards, Marcus.

Hi Matt, first thank you very much for your kind answer. I would like if possible some directions to help me understand what you're saying. The code I did is working just fine in watchOS 6.2.8 but failing with watchOS 7 latest beta 7 (with the error above, "An SSL error has occurred and a secure connection to the server cannot be made."). I just want to compare the fingerprint of the certificate I receive to the fingerprint (SHA256 hash) I have in my code. I'm using Alamofire, and this is the code I have in the sessionDidReceiveChallenge: _sessionMgrDefault.delegate.sessionDidReceiveChallenge = { session, challenge in &#9;&#9;var disposition: URLSession.AuthChallengeDisposition = .performDefaultHandling &#9;&#9;var credential: URLCredential? &#9;&#9;if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust { &#9;&#9;&#9;&#9;let host = challenge.protectionSpace.host &#9;&#9;&#9;&#9;if let serverTrust = challenge.protectionSpace.serverTrust { &#9;&#9;&#9;&#9;&#9;&#9;disposition = URLSession.AuthChallengeDisposition.useCredential &#9;&#9;&#9;&#9;&#9;&#9;credential = URLCredential(trust: challenge.protectionSpace.serverTrust!) &#9;&#9;&#9;&#9;&#9;&#9;let fingerPrints = ["<<<CERTIFICATE SHA256 HASH>>>"] &#9;&#9;&#9;&#9;&#9;&#9;for index in 0..<SecTrustGetCertificateCount(serverTrust) { &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;let cer = SecTrustGetCertificateAtIndex(serverTrust, index) &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;if let certificate = SecTrustGetCertificateAtIndex(serverTrust, index) { &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;let certData = certificate.data &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;let certHashByteArray = certData.sha256() &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;let certificateHexString = certHashByteArray.toHexString().lowercased() &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;if fingerPrints.contains(certificateHexString) { &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;return (disposition, credential) &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;} &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;} &#9;&#9;&#9;&#9;&#9;&#9;} &#9;&#9;&#9;&#9;} &#9;&#9;} &#9;&#9;disposition = .cancelAuthenticationChallenge &#9;&#9;return (disposition, credential) } Running an analysis on the site SSLabs.com it says that (the certificate is a wildcard "*.<domain>.com.br"): Issuer Valid Certificadora Digital SSL OV CA 2018 Signature algorithm SHA256withRSA Revocation status Good (not revoked) DNS CAA No Trusted No&#9; NOT TRUSTED (Why?) NOTE: Someone made a comment on StackOverflow that to be compatible with the ATS requirements, "as soon as you are doing a https:// request, you must ensure, that you meet the ATS-requirements: a valid certificate installed on the server (without wildcard, exactly matching the server's domain name), server supports TLS 1.2 with forward secrecy." Is this the problem on watchOS 7? The certificate has to be specific to the site and not have wildcard? Thank you again very much for your kind answer. Best Regards.

Full details about this issue on Alamofire GitHub: https://github.com/Alamofire/Alamofire/issues/3295

I filed the feedback: FB8612887. Also, as I commented on the Alamofire issue (https://github.com/Alamofire/Alamofire/issues/3295), I rolled back Alamofire to version 4.9.1 and it is working now with TestFlight version! I guess with the latest Alamofire 5, the TestFlight (Bitcode?) compilation is doing something wrong for this specific device... As pointer in this crash log: Thread 0 Crashed: 0&#9; libswiftCore.dylib&#9;&#9;&#9;&#9;&#9;&#9; 0x6fb90060 static _SetStorage.allocate+ 864352 (scale:age:seed:) + 16 1&#9; libswiftCore.dylib&#9;&#9;&#9;&#9;&#9;&#9; 0x6fb8c07e static _SetStorage.allocate+ 847998 (capacity:) + 126 2&#9; Watch App Extension 0x00315fb8 specialized Set.init(arrayLiteral:) + 319416 (<compiler-generated>:0) If you need some other information, please feel free to contact me. Thank you!

Full crash log - https://developer.apple.com/forums/content/attachment/df0a4b7b-0a8d-4293-b8f4-76192992481f