Reputation: 16256
First of all, I know there are a ton of similar questions, but none that I've seen seems to address my setup (nor any solution I found works). So bear with me...
https://XXX.YYY.ZZZ.WWW:9443/etc...
).NSAppTransportSecurity
dictionary is empty (no exceptions whatsoever - factory settings ATS).(Testing on iOS 9, deployment target is iOS 8.x)
I am getting this error when I try to connect:
CFNetwork SSLHandshake failed (-9806) NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806) Error: An SSL error has occurred and a secure connection to the server cannot be made.
(Device and Simulator)
I tried to command line tool nscurl
described here. I get:
Configuring TLS exceptions for XXX.YYY.ZZZ.WWW: (TLS 1.2, 1.1 and 1.0) CFNetwork SSLHandshake failed (-9806)
Disabling Perfect Forward Secrecy: CFNetwork SSLHandshake failed (-9801)
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP: CFNetwork SSLHandshake failed (-9801)
TLSv1.2 with PFS disabled: CFNetwork SSLHandshake failed (-9801)
TLSv1.1 with PFS disabled: CFNetwork SSLHandshake failed (-9801)
TLSv1.0 with PFS disabled: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
TLSv1.2 with PFS disabled and insecure HTTP allowed: CFNetwork SSLHandshake failed (-9801)
...you get the drill.
I am having checked which TLS version the server supports (that is the biggest suspect, as far as I've researched), but perhaps there is something else I need to fix/check on the client side?
Upvotes: 2
Views: 3767
Reputation: 13630
I think you need to inspect the cert on your server. You should be able to use the openssl client to investigate your certificate and get your server's ssl config:
openssl s_client -connect XXX.YYY.ZZZ.WWW:9443
You should get some details about the cert
SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: // Session-ID-ctx: Master-Key: // Key-Arg : None Start Time: 1449693038 Timeout : 300 (sec) Verify return code: 0 (ok)
Or, you can use a website like symantec to query the cert and see if you have met the requirements of TLS1.2, a strong enough key, and forward secrecy.
Also, you could try turning on CFNetwork Diagnostic Logging. Edit the Xcode scheme and add the CFNETWORK_DIAGNOSTICS environment variable. Set the logging level to 3 which is the most verbose:
The Xcode console shows the location of the log file:
CFNetwork diagnostics log file created at: /private/var/mobile/Containers/
Data/Application/A3421F00-451A-CD70-1B82-B163D1A3BB0F/Library/Logs/
CrashReporter/CFNetwork_com.sample.app_118.nwlrb.log
You could look into those logs to see if there is any more information as to why the network calls are failing.
Upvotes: 2