CFNetwork SSLHandshake failed (-9824) but server meets criteria - ios

2015-11-04 15:17:23.236 Testing[2504:80857] CFNetwork SSLHandshake failed (-9824)
2015-11-04 15:17:23.237 Testing[2504:80858] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
I did a little testing app with only a web view to show contents of this website:
https://ripemobileapps.com
Server supports SSL, TLS v1.2 and has GeoTrust certificate.
Test on https://www.ssllabs.com/ssltest/ gives A- grade SSL.
I really don't know what else can I do to open it. If I try to open https://www.google.com it works fine. For sake what else apple demands?

Use the nscurl command provided to test this. It will test all ATS settings.
nscurl --verbose --ats-diagnostics https://ripemobileapps.com

Related

Can't download iOS app using in house at iOS 10.3 release version

I update the iOS to iOS 10.3 release version,
I try to download the in-house app through the safari,
but show the below error message(the log from device ).
itunesstored(libsystem_network.dylib)[240] <Error>: nw_coretls_callback_handshake_message_block_invoke_3 tls_handshake_continue: [-9812]
itunesstored(CFNetwork)[240] <Notice>: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
itunesstored(CFNetwork)[240] <Error>: HTTP load failed (error code: -1202 [3:-9813])
itunesstored(CFNetwork)[240] <Error>: NSURLSessionTask finished with error - code: -1202
itunesstored[240] <Notice>: LoadExternalDownloadManifestOperation: Request failed with error: <private>
itunesstored[240] <Error>: Could not load download manifest with underlying error: <private>
I test the in house to install at the iOS 10.2.1. It is install correct.
But the iOS 10.3 will show the alert ( cannot connect to IP ).
Have anyone known what happened in my case?
thank you very much.
I figured it out, it seems just trusting the certificate is no longer enough. You need to go into General -> About (yes, About, what a great place) -> Certificate Trust Settings. Then tick the switch next to your CA to trust it.

'An SSL error has occurred and a secure connection to the server cannot be made' with verified certificate

I get the following error message (which is identical every try)
2016-07-20 20:09:28.013 MyApp[1140:374263] CFNetwork SSLHandshake failed (-9806)
2016-07-20 20:09:28.014 MyApp[1140:374263] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)
error=Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x154dda750 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://example.com:8080/api/login, NSErrorFailingURLStringKey=https://example.com:8080/api/login, _kCFStreamErrorDomainKey=3})
The certificate is a validated one provided by letsencrypt. I have tested my web server configuration over and over, and everything seems to be like it should.
Running the command openssl s_client -connect example.com:8080/api/login -tls1_2 gives all the expected results:
-It verifies the authority as DST Root CA X3, which is included in Apples root CA list
-The return is code is Verify return code: 0 (ok)
I have also run several ssl diagnostic tool websites such as digicert, which has given no error results.
I can load the domain from Safari ON the iOS device, as well as chrome from my computer without having to accept "untrusted certificates".
Any suggestions?
In case anyone encounter something the same problem, ill answer my own question.
At the time of the question, Let's Encrypt (the CA of the certificate used) did not support forward secrecy for their https certificates (atleast not the one I got). Apple by default required this in the iOS version used at that time (I believe it was around 9.5, but I might be mistaken here).
To get around the requirement of forward secrecy, this can be specified in the Info.plist under domain exceptions.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>example.com</key>
<dict>
<key>NSTemporaryExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
Sometime along the road, they changed this to default land on false. I am not sure when this was, but after iOS 10.0 it was never a problem.

Cordova ios app can't load device data

I searched a lot about my issue and I tried different solution, but it doesn't work :/
Link what I tried:
NSURLSession/NSURLConnection HTTP load failed on iOS 9
2016-06-24 10:51:56.760 <App Name>[1817:1004680] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
UPDATE
After adding the lines below:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
I get this error:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
But when I follow the introduction of developer apple everything should be fine:
nscurl --ats-diagnostics --verbose result
I figured it out. I had to add the following lines in Classes/AppDelegate.m above the #implementation AppDelegate:
#implementation NSURLRequest(DataController)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host{
return YES;
}
#end
What I'm using:
cordova version 5.3.3
platform: iio 4.2.0
helpful link: NSURLConnection/CFURLConnection HTTP load failed ionic

Can Not Connect to Server Using HTTPS

First of all, I know there are a ton of similar questions, but none that I've seen seems to address my setup (nor any solution I found works). So bear with me...
My server host name is an IP address, not a domain name
(i.e., URL looks like: https://XXX.YYY.ZZZ.WWW:9443/etc...).
My server has a real certificate (i.e., not self signed).
My app's plist entry NSAppTransportSecurity dictionary is empty (no exceptions whatsoever - factory settings ATS).
This is production code and I can not disable ATS (nor do I think I could, given that exceptions only work with explicit domain names, not IP addresses).
(Testing on iOS 9, deployment target is iOS 8.x)
I am getting this error when I try to connect:
CFNetwork SSLHandshake failed (-9806) NSURLSession/NSURLConnection
HTTP load failed (kCFStreamErrorDomainSSL, -9806)
Error: An SSL error has occurred and a secure connection to the server cannot be made.
(Device and Simulator)
I tried to command line tool nscurl described here. I get:
Default ATS Secure Connection: CFNetwork SSLHandshake failed (-9806)
Allowing Arbitrary Loads: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813) ("The certificate for this server is invalid. You might be connecting to a server that is pretending to be “XXX.YYY.ZZZ.WWW” which could put your confidential information at risk.")
Configuring TLS exceptions for XXX.YYY.ZZZ.WWW: (TLS 1.2, 1.1 and 1.0) CFNetwork SSLHandshake failed (-9806)
Disabling Perfect Forward Secrecy: CFNetwork SSLHandshake failed (-9801)
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP: CFNetwork SSLHandshake failed (-9801)
TLSv1.2 with PFS disabled: CFNetwork SSLHandshake failed (-9801)
TLSv1.1 with PFS disabled: CFNetwork SSLHandshake failed (-9801)
TLSv1.0 with PFS disabled: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
TLSv1.2 with PFS disabled and insecure HTTP allowed: CFNetwork SSLHandshake failed (-9801)
...you get the drill.
I am having checked which TLS version the server supports (that is the biggest suspect, as far as I've researched), but perhaps there is something else I need to fix/check on the client side?
I think you need to inspect the cert on your server. You should be able to use the openssl client to investigate your certificate and get your server's ssl config:
openssl s_client -connect XXX.YYY.ZZZ.WWW:9443
You should get some details about the cert
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: //
Session-ID-ctx:
Master-Key: //
Key-Arg : None
Start Time: 1449693038
Timeout : 300 (sec)
Verify return code: 0 (ok)
Or, you can use a website like symantec to query the cert and see if you have met the requirements of TLS1.2, a strong enough key, and forward secrecy.
Also, you could try turning on CFNetwork Diagnostic Logging. Edit the Xcode scheme and add the CFNETWORK_DIAGNOSTICS environment variable. Set the logging level to 3 which is the most verbose:
The Xcode console shows the location of the log file:
CFNetwork diagnostics log file created at: /private/var/mobile/Containers/
Data/Application/A3421F00-451A-CD70-1B82-B163D1A3BB0F/Library/Logs/
CrashReporter/CFNetwork_com.sample.app_118.nwlrb.log
You could look into those logs to see if there is any more information as to why the network calls are failing.

nscurl --ats-diagnostics doesn't work with my nodejs server

I have setup nodejs for SSL with certificates from ssls.com. When I run tests from the browser my certificates are found and things seem okay (excepting a couple of vulnerabilities are shown). I'm using sites like:
https://www.sslshopper.com/ssl-checker.html
https://www.ssllabs.com/ssltest/analyze.html
Notwithstanding I'm having trouble getting my IOS app to connect using a websockets library.
When I run this new diagnostic command:
nscurl --ats-diagnostics https://<mydomain.com> I get
nscurl[4714:325661] CFNetwork SSLHandshake failed (-9806)
nscurl[4714:325661] NSURLSession/NSURLConnection HTTP load failed
(kCFStreamErrorDomainSSL, -9806)
The more detailed log file doesn't seem to give much more info:
Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)"
UserInfo={_kCFStreamPropertySSLClientCertificateState=0,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}
Any ideas?

Resources