Develop Reference

Xcode BoringSSL peer disconnect causing app to hang on startup

Recently I started getting inconsistent BoringSSL issues that is causing my cordova/ionic app to hang. It happens about 1 out of every 4 or 5 times I launch the app from Xcode to a physically attached test iPhone 6. The test phone uses WiFi only (no carrier network). Having a devil of a time find any solid solutions or what the root of the problem is.
Some indicate its DNS, others say its related to Firebase...I have tried a few of the fixes those threads have mentioned but none are working for me.
[BoringSSL] nw_protocol_boringssl_input_finished(1543) [C3.1:2][0x12fd335c0] Peer disconnected during the middle of a handshake. Sending errSSLClosedNoNotify(-9816) alert
TIC TCP Conn Failed [3:0x2805712c0]: 3:-9816 Err(-9816)
[BoringSSL] nw_protocol_boringssl_input_finished(1543) [C5.1:2][0x12fe46470] Peer disconnected during the middle of a handshake. Sending errSSLClosedNoNotify(-9816) alert
TIC TCP Conn Failed [5:0x280575f80]: 3:-9816 Err(-9816)
[BoringSSL] boringssl_context_alert_callback_handler(3724) [C6.1:2][0x12fd43710] Alert level: fatal, description: inappropriate fallback
[BoringSSL] boringssl_session_errorlog(224) [C6.1:2][0x12fd43710] [boringssl_session_handshake_incomplete] SSL_ERROR_SSL(1): operation failed within the library
[BoringSSL] boringssl_session_handshake_error_print(205) [C6.1:2][0x12fd43710] 5097281768:error:1000043e:SSL routines:OPENSSL_internal:TLSV1_ALERT_INAPPROPRIATE_FALLBACK:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-109.250.2/ssl/tls_record.cc:586:SSL alert number 86
[BoringSSL] boringssl_context_get_error_code(3617) [C6.1:2][0x12fd43710] SSL_AD_INAPPROPRIATE_FALLBACK
TIC TCP Conn Failed [6:0x280576640]: 3:-9860 Err(-9860)
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9860)
Task <02ADA890-35C5-4DE7-B0E5-6EC812CF79E6>.<1> HTTP load failed (error code: -1200 [3:-9860])
Task <02ADA890-35C5-4DE7-B0E5-6EC812CF79E6>.<1> finished with error - code: -1200
nw_protocol_boringssl_get_output_frames(1301) [C1.1:2][0x12fe15ea0] get output frames failed, state 8196
nw_protocol_boringssl_get_output_frames(1301) [C1.1:2][0x12fe15ea0] get output frames failed, state 8196
If the app sees this error when initializing, the app hangs at the splash screen. If it makes it past this issue then the app works just fine and I only see nw_protocol_get_output_frames messages every so often (don't know what those are about either).
Anyone have any ideas as to what is causing this, where to look or possibly what the fix is?
Cordova CLI: 9.0.0 (cordova-lib#9.0.1)
cordova-ios: v5.0.0
Gulp version: CLI version 3.9.1
Gulp local:
Ionic Framework Version: 1.3.4
Ionic CLI Version: 1.7.16
Ionic App Lib Version: 0.7.3
ios-deploy version: 1.9.4
ios-sim version: 8.0.1
OS: Mac OS X El Capitan
Node Version: v6.11.4
Xcode version: Xcode 10.1 Build version 10B61

I was stuck at this error and what I did was enable all kinds of logs on XCode and that revealed that the error with this BoringSSL was from a call to the API Crashlytics of google. What solved this matter to me was enter on firebase, enable crashlytics for my project, install the plugin (https://ionicframework.com/docs/native/firebase-crashlytics) and initialise it.
To find crashlytics on firebase you enter on the console and search on the left, under the menu quality, crashlytics. After that if you have already your GoogleService-Info.plist on your app, what remains is to install the plugin and initialise it according the docs.
[EDIT] Dont know if the above will contribute, because on another batch of tests I found that it didnt fix the issue. But when I add the next lines to config.plist it resolves:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>app-measurement.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
<key>mtalk.google.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
<key>play.googleapis.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
<key>settings.crashlytics.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
<key>googleapis.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
<key>localhost</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>127.0.0.1</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<false/>
</dict>
https://forums.developer.apple.com/thread/42555
https://cocoacasts.com/app-transport-security-has-blocked-my-request

My app IOS can't connect to web service "CFNetwork SSLHandshake failed" [duplicate]

This question already has answers here:
CFNetwork SSLHandshake failed iOS 9
(11 answers)
Closed 4 years ago.
Has anyone with the iOS 9 beta 1 had this issue?
I added the IOS sudo ionic cordova platform add ios The IOS Folder is added and the application.xcodeproj is added
My app was running successfully however, all AJAX failed.

Add this snippets to your .plist file.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>yourserver.com</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow insecure HTTP requests-->
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
and
<key>NSAppTransportSecurity</key>
<dict>
<!--Connect to anything (this is probably BAD)-->
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>

iOS 10, Swift 3 API call SSL error

I am working on a Mobile app built in cordova which uses REST API. The App works well in itself, but I have a Share Extension built with xcode for which I get this error for an API call.
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fe888624290 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://www.example.com/, NSErrorFailingURLStringKey=https://www.example.com/, _kCFStreamErrorDomainKey=3}
I have this in the Info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>www.example.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSRequiresCertificateTransparency</key>
<false/>
</dict>
</dict>
</dict>

Your server SSL is probably not secure or correctly installed.
You should check if it is correctly installed with some of the available webservices out there or something.
Example
or this one
It can also be that your SSL is self-signed and simply not trusted by iOS as trusted.

First, test your server with :
/usr/bin/nscurl --ats-diagnostics www.mydomain.com
You said your main app is well-working, so the issue may be in your extension plist.
Did you add the same ATS entry in your extension plist ?

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9814)

I've been working on this project for a month and all internet requests were working fine until today, I am seeing this error whenever I execute a request :
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9814)
Although, in my info.plist, I added the APT configuration from the start:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Keep in mind, that everything was working fine, I didn't change anything.
I tried this, on iOS 9 and iOS 7, and I am getting the same error.

try this in info.plist,
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>YOURHOST.COM</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>1.0</string>
<key>NSTemporaryExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
and refer this link for more detail. hope this will help :)

iOS App Transport Security not accepting TLSv1.2 connection and plist exceptions not making any difference

I've got an iOS app which uses SSL/HTTPS to communicate with a server. The server is providing a certificate that works over TLSv1.2 (the main requirement of App Transport Security). An example URL that demonstrates this (where the TLSv1.2 can be verified by checking the certificate) is https://api.branon.co.uk/checkOnline.
However, the app is throwing errors relating to the App Transport Layer - errors that, when Googled - imply it's because the server isn't working over TLSv1.2. An example error is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
and:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
I even added a bunch of exceptions to the plist file, such as:
<dict>
<key>NSExceptionDomains</key>
<dict>
<key><my top level domain - the app uses a subdomain - allowed below></key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
</plist>
but this doesn't change the result.
The certificate used is a free certificate issued from StartCom. My nginx config is below (just for reference).
server {
listen [::]:443 ssl;
listen 443 ssl;
ssl on;
ssl_certificate /root/ssl/<domain>.crt;
ssl_certificate_key /root/ssl/server.key;
server_name api.<domain>;
access_log /var/log/nginx/api.access.log;
error_log /var/log/nginx/api.error.log;
location ~ ^/([a-zA-Z]+)$ {
proxy_pass http://127.0.0.1:5000/$1;
}
}
Does anybody have any idea why this is happening?
Thanks!
Update:
Following the results of #Paulw11's suggested test (below) running nscurl, I decided just to try disabling App Transport Security entirely. I changed the App Transport Security dictionary in my plist to the below:
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
and am still getting the same error! So if it's not App Transport Security, what could be causing this? That error I'm getting again is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

The server does not provide a complete certificate chain in its SSL/TLS handshake. While some clients can handle this and build out a trust chain, others cannot.
You can find the missing intermediate certificate via https://whatsmychaincert.com/?api.branon.co.uk and serve it along with your site's certificate in your SSL configuration in nginx.
Do remember to remove any ATS exceptions that you may have put in place!

The format of the keys I use to allow older versions of TLS (for amazonaws, for example) looks like this:
<key>NSIncludesSubdomains</key>
<string>NO</string>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<string>NO</string>
The rest of the structure looks the same. At one point, we had this at the root level.
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>