CFNetwork SSLHandshake failed (-9824) against server that support TLSv1.2

Question

I have a very simple tomcat webserver that I have set up to work with TLSv1.2 which is confirmed by using curl

$ curl --verbose https://{my-servers-dns}:8443/
*   Trying {my-servers-ip-address} ...
* Connected to dev.a-b.fit ({my-servers-ip-address}) port 8443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: {my-servers-dns}
* Server certificate: Go Daddy Secure Certificate Authority - G2
* Server certificate: Go Daddy Root Certificate Authority - G2
> GET / HTTP/1.1
...

However, if I run this very simple swift code to make the same GET request

let url = NSURL(string: "https://{my-servers-dns}:8443/")!
let session = NSURLSession.sharedSession()
let task = session.dataTaskWithURL(url, completionHandler: {(data, response, error) -> Void in
    if let response = response {
        print("Response: \(response)")
    }
    else {
        print("Response: nil")
    }
})

When I do this I get the following 2 errors

CFNetwork SSLHandshake failed (-9824)
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Googling these errors suggest that the issue is that my app can not connect with TLSv1.2. However, I would have thought that the curl request shows that TLS 1.2 is supported.

Answer 1

* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

This is a DHE cipher suite curl uses here. This might mean that your server does not support ECDHE cipher suites because usually these are preferred compared to DHE.

From the iOS 9 Release Notes:

DHE_RSA cipher suites are now disabled by defaults in Secure Transport for TLS clients. This may cause failure to connect to TLS servers that only support DHE_RSA cipher suites. ...

This means if your server only supports DHE ciphers then the connection will fail in the default setup of an iOS 9 client. This is likely the case here.