CFNetwork SSLHandshake failed iOS 9

Question

has anyone with the iOS 9 beta 1 had this issue     I use standard NSURLConnection to connect to a webservice and as soon as a call is made to the webservice i get the below error   This is currently working in iOS 8 3  Possible beta bug  any ideas or thoughts would be great   I know its very early in iOS 9 development  Here is the full error      CFNetwork SSLHandshake failed  -9824    NSURLSession NSURLConnection HTTP load failed  kCFStreamErrorDomainSSL  -9824     NSURLRequest   urlRequest    NSURLRequest requestWithURL  NSURL URLWithString   https   mywebserviceurl             NSURLResponse   response   nil          NSError   error   nil          NSData   data    NSURLConnection sendSynchronousRequest urlRequest                                                   returningResponse  amp response                                                               error  amp error

User · Answer

If your backend uses a secure connection ant you get using NSURLSession

CFNetwork SSLHandshake failed (-9801)
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

you need to check your server configuration especially to get ATS version and SSL certificate Info:

Instead of just Allowing Insecure Connection by setting NSExceptionAllowsInsecureHTTPLoads = YES , instead you need to Allow Lowered Security in case your server do not meet the min requirement (v1.2) for ATS (or better to fix server side).

Allowing Lowered Security to a Single Server

<key>NSExceptionDomains</key>
<dict>
    <key>api.yourDomaine.com</key>
    <dict>
        <key>NSExceptionMinimumTLSVersion</key>
        <string>TLSv1.0</string>
        <key>NSExceptionRequiresForwardSecrecy</key>
        <false/>
    </dict>
</dict>

use openssl client to investigate certificate and get your server configuration using openssl client :

openssl s_client  -connect api.yourDomaine.com:port //(you may need to specify port or  to try with https://... or www.)

..find at the end

SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: //
    Session-ID-ctx: 
    Master-Key: //
    Key-Arg   : None
    Start Time: 1449693038
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

App Transport Security (ATS) require Transport Layer Security (TLS) protocol version 1.2.

Requirements for Connecting Using ATS:

The requirements for a web service connection to use App Transport Security (ATS) involve the server, connection ciphers, and certificates, as follows:

Certificates must be signed with one of the following types of keys:

Secure Hash Algorithm 2 (SHA-2) key with a digest length of at least 256 (that is, SHA-256 or greater)

Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits An invalid certificate results in a hard failure and no connection.

The following connection ciphers support forward secrecy (FS) and work with ATS:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Update: it turns out that openssl only provide the minimal protocol version Protocol : TLSv1 links

User · Answer

After two days of attempts and failures  what worked for me is this code of womble  with One change  according to this post we should stop using sub-keys associated with the NSExceptionDomains dictionary of that kind of Convention    NSTemporaryExceptionMinimumTLSVersion   And use at the new Convention    NSExceptionMinimumTLSVersion   instead   apple documentation  my code   lt key gt NSAppTransportSecurity lt  key gt       lt dict gt           lt key gt NSExceptionDomains lt  key gt           lt dict gt               lt key gt YOUR HOST COM lt  key gt               lt dict gt                   lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt                   lt true  gt                   lt key gt NSExceptionMinimumTLSVersion lt  key gt                   lt string gt TLSv1 0 lt  string gt                   lt key gt NSExceptionRequiresForwardSecrecy lt  key gt                   lt false  gt                   lt key gt NSIncludesSubdomains lt  key gt                   lt true  gt               lt  dict gt           lt  dict gt       lt  dict gt

User · Answer

iOS 9 and OSX 10 11 require TLSv1 2 SSL for all hosts you plan to request data from unless you specify exception domains in your app s Info plist file   The syntax for the Info plist configuration looks like this    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt     lt key gt NSExceptionDomains lt  key gt     lt dict gt       lt key gt yourserver com lt  key gt       lt dict gt         lt  --Include to allow subdomains-- gt         lt key gt NSIncludesSubdomains lt  key gt         lt true  gt         lt  --Include to allow insecure HTTP requests-- gt         lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt         lt true  gt         lt  --Include to specify minimum TLS version-- gt         lt key gt NSExceptionMinimumTLSVersion lt  key gt         lt string gt TLSv1 1 lt  string gt       lt  dict gt     lt  dict gt   lt  dict gt    If your application  a third-party web browser  for instance  needs to connect to arbitrary hosts  you can configure it like this    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt  --Connect to anything  this is probably BAD -- gt       lt key gt NSAllowsArbitraryLoads lt  key gt       lt true  gt   lt  dict gt    If you re having to do this  it s probably best to update your servers to use TLSv1 2 and SSL  if they re not already doing so  This should be considered a temporary workaround   As of today  the prerelease documentation makes no mention of any of these configuration options in any specific way  Once it does  I ll update the answer to link to the relevant documentation

User · Answer

The syntax for the Info plist configuration      lt key gt NSAppTransportSecurity lt  key gt      lt dict gt      lt key gt NSExceptionDomains lt  key gt       lt dict gt       lt key gt yourserver com lt  key gt      lt dict gt     lt  --Include to allow subdomains-- gt     lt key gt NSIncludesSubdomains lt  key gt     lt true  gt     lt  --Include to allow insecure HTTP requests-- gt     lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt     lt true  gt     lt  --Include to specify minimum TLS version-- gt     lt key gt NSExceptionMinimumTLSVersion lt  key gt     lt string gt TLSv1 1 lt  string gt      lt  dict gt    lt  dict gt

User · Answer

In your project   plist file in add this permission     lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt  --Connect to anything  this is probably BAD -- gt       lt key gt NSAllowsArbitraryLoads lt  key gt       lt true  gt   lt  dict gt

User · Answer

In iOS 10   the TLS string MUST be of the form  TLSv1 0   It can t just be  1 0    Sigh     The following combination of the other Answers works   Let s say you are trying to connect to a host  YOUR HOST COM  that only has TLS 1 0   Add these to your app s Info plist   lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSExceptionDomains lt  key gt       lt dict gt           lt key gt YOUR HOST COM lt  key gt           lt dict gt               lt key gt NSIncludesSubdomains lt  key gt               lt true  gt               lt key gt NSTemporaryExceptionAllowsInsecureHTTPLoads lt  key gt               lt true  gt               lt key gt NSTemporaryExceptionMinimumTLSVersion lt  key gt               lt string gt TLSv1 0 lt  string gt               lt key gt NSTemporaryExceptionRequiresForwardSecrecy lt  key gt               lt false  gt           lt  dict gt       lt  dict gt   lt  dict gt

User · Answer

For more info Configuring App Transport Security Exceptions in iOS 9 and OSX 10 11     Curiously  you   ll notice that the connection attempts to change the   http protocol to https to protect against mistakes in your code where   you may have accidentally misconfigured the URL  In some cases  this   might actually work  but it   s also confusing    This Shipping an App With App Transport Security covers some good debugging tips  ATS Failure     Most ATS failures will present as CFErrors with a code in the -9800   series  These are defined in the Security SecureTransport h header   2015-08-23 06 34 42 700 SelfSignedServerATSTest 3792 683731  NSURLSession NSURLConnection HTTP load failed  kCFStreamErrorDomainSSL  -9813    CFNETWORK DIAGNOSTICS     Set the environment variable CFNETWORK DIAGNOSTICS to 1 in order to   get more information on the console about the failure   nscurl     The tool will run through several different combinations of ATS   exceptions  trying a secure connection to the given host under each   ATS configuration and reporting the result    nscurl --ats-diagnostics https   example com

User · Answer

The device I tested at had wrong time set  So when I tried accessing a page with a certificate that would run out soon it would deny access because the device though the certificate had expired  To fix  set proper time on the device

User · Answer

Another useful tool is nmap  brew install nmap   nmap --script ssl-enum-ciphers -p 443 google com   Gives output   Starting Nmap 7 12   https   nmap org   at 2016-08-11 17 25 IDT Nmap scan report for google com  172 217 23 46  Host is up  0 061s latency   Other addresses for google com  not scanned   2a00 1450 4009 80a  200e PORT    STATE SERVICE 443 tcp open  https   ssl-enum-ciphers       TLSv1 0         ciphers           TLS ECDHE ECDSA WITH AES 128 CBC SHA  secp256r1  - A         TLS ECDHE ECDSA WITH AES 256 CBC SHA  secp256r1  - A         TLS ECDHE RSA WITH AES 128 CBC SHA  secp256r1  - A         TLS RSA WITH AES 128 CBC SHA  rsa 2048  - A         TLS RSA WITH 3DES EDE CBC SHA  rsa 2048  - C         TLS ECDHE RSA WITH AES 256 CBC SHA  secp256r1  - A         TLS RSA WITH AES 256 CBC SHA  rsa 2048  - A       compressors           NULL       cipher preference  server     TLSv1 1         ciphers           TLS ECDHE ECDSA WITH AES 128 CBC SHA  secp256r1  - A         TLS ECDHE ECDSA WITH AES 256 CBC SHA  secp256r1  - A         TLS ECDHE RSA WITH AES 128 CBC SHA  secp256r1  - A         TLS RSA WITH AES 128 CBC SHA  rsa 2048  - A         TLS RSA WITH 3DES EDE CBC SHA  rsa 2048  - C         TLS ECDHE RSA WITH AES 256 CBC SHA  secp256r1  - A         TLS RSA WITH AES 256 CBC SHA  rsa 2048  - A       compressors           NULL       cipher preference  server     TLSv1 2         ciphers           TLS ECDHE ECDSA WITH AES 128 CBC SHA  secp256r1  - A         TLS ECDHE ECDSA WITH AES 128 CBC SHA256  secp256r1  - A         TLS ECDHE ECDSA WITH AES 128 GCM SHA256  secp256r1  - A         TLS ECDHE ECDSA WITH AES 256 CBC SHA  secp256r1  - A         TLS ECDHE ECDSA WITH AES 256 CBC SHA384  secp256r1  - A         TLS ECDHE ECDSA WITH AES 256 GCM SHA384  secp256r1  - A         TLS ECDHE ECDSA WITH CHACHA20 POLY1305 SHA256  secp256r1  - A         TLS ECDHE RSA WITH AES 128 CBC SHA  secp256r1  - A         TLS ECDHE RSA WITH AES 128 CBC SHA256  secp256r1  - A         TLS ECDHE RSA WITH AES 128 GCM SHA256  secp256r1  - A         TLS ECDHE RSA WITH AES 256 CBC SHA  secp256r1  - A         TLS ECDHE RSA WITH AES 256 CBC SHA384  secp256r1  - A         TLS ECDHE RSA WITH AES 256 GCM SHA384  secp256r1  - A         TLS ECDHE RSA WITH CHACHA20 POLY1305 SHA256  secp256r1  - A         TLS RSA WITH 3DES EDE CBC SHA  rsa 2048  - C         TLS RSA WITH AES 128 CBC SHA  rsa 2048  - A         TLS RSA WITH AES 128 CBC SHA256  rsa 2048  - A         TLS RSA WITH AES 128 GCM SHA256  rsa 2048  - A         TLS RSA WITH AES 256 CBC SHA  rsa 2048  - A         TLS RSA WITH AES 256 CBC SHA256  rsa 2048  - A         TLS RSA WITH AES 256 GCM SHA384  rsa 2048  - A       compressors           NULL       cipher preference  client     least strength  C  Nmap done  1 IP address  1 host up  scanned in 5 48 seconds

User · Answer

Updated Answer  post-WWDC 2016       iOS apps will require secure HTTPS connections by the end of   2016  Trying  turn ATS off may get your app rejected in the future    App Transport Security  or ATS  is a feature that Apple introduced in iOS 9  When ATS is enabled  it forces an app to connect to web services over an HTTPS connection rather than non secure HTTP   However  developers can still switch ATS off and allow their apps to send data over an HTTP connection as mentioned in above answers  At the end of 2016  Apple will make ATS mandatory for all developers who hope to submit their apps to the App Store  link

User · Answer

This error was showing up in the logs sometimes when I was using a buggy crashy Cordova iOS version  It went away when I upgraded or downgraded cordova iOS   The server I was connecting to was using TLSv1 2 SSL so I knew that was not the problem

[ios] CFNetwork SSLHandshake failed iOS 9

Examples related to ios

Examples related to ssl

Examples related to nsurlconnection

Examples related to ios9