0

I have an Objective-C iPad application that makes a web service call which is failing as follows:

"CFNetwork SSLHandshake failed (-9824)"
"NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)"

The following code makes the call:

responseData = [NSMutableData data];
NSURL *loginurl = @"https://domain.com/4dAction/servicename/";
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:loginurl];
NSString *params = [[NSString alloc] initWithFormat:@"user=%@&pass=%@",username.text,password.text];
[request setHTTPMethod:@"POST"];
[request setHTTPBody:[params dataUsingEncoding:NSUTF8StringEncoding]];
[[NSURLConnection alloc] initWithRequest:request delegate:self];

After some research it seemed that the solution could be to put some exceptions into ‘info.plist’ and this resulted in slightly different error messages but it still doesn’t work, the following is the section I added to 'info.plist' :

<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
    <dict>
        <key>domain.com</key>
        <dict>
            <key>NSAllowsArbitraryLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
        </dict>
    </dict>
</dict>

This call is now failing with the error (there is now no "CFNetwork SSLHandshake failed" error as there prevously was):

"NSURLSession/NSURLConnection HTTP Load failed (kCFStreamErrorDomainSSL, -9802)"

The things that have changed since the last time this worked are as follows:

  • iOS upgraded to version 9
  • Web server moved from 4D running on MAC to 4D running on Windows.
  • The domain name has changed and a new certificate issued.

Basically I am looking for a way to make the web service call work without an error.

D Brough
  • 11
  • 3

2 Answers2

0

For now, you'll have to add `NSExceptionAllowsInsecureHTTPLoads=true to the exceptions, I think. See the discussions at:

https://forums.developer.apple.com/thread/13472

But the real fix is to update the server or change its configuration to use modern cipher suites. This has nothing to do with the certificate. Your web server, during the TLS handshake, is telling iOS that it only accepts a bunch of older, not-so-secure encryption schemes (cipher suites).

Fixing this might be as simple as changing a config file, or it might involve updating the web server software (or possibly both).

dgatwood
  • 10,129
  • 1
  • 28
  • 49
  • This fixed the error thanks, although I am now getting another error: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813) Looks like I have a problem with the certificate I will need to fix. – D Brough Aug 10 '16 at 05:21
0

Your plist isn't quite right. This answer will show you what to do. Basically you can use NSExceptionAllowsInsecureHTTPLoads in an exception domain, or you can use NSAllowsArbitraryLoads which covers everything.

If making either of these changes causes your app to start working, then yes, your issue is ATS-related, and you need to update your server to handle TLS 1.2 with Forward Secrecy before the end of this year.

If your app does not start working, then check everything else. Does the new certificate match the new domain name? What happens when you hit the URL in Safari?

Community
  • 1
  • 1
Brett Donald
  • 6,745
  • 4
  • 23
  • 51
  • My plist was wrong, thanks for the pointer. As stated above I am now getting a different error, 9813 which indicates a problem with the certificate. The certificate does match the domain name, it works fine in a browser which seems to indicate that it is ok ... but I am getting 9813 in the app ! – D Brough Aug 10 '16 at 05:27
  • That probably indicates that the server isn't sending back a complete set of intermediate certificates that end at a trusted root/anchor cert. Check with your certificate authority and find out what intermediate certificates it should be including. – dgatwood Aug 10 '16 at 06:43
  • If your server is open to the internet you can quickly test the certificate chain using a site such as this: https://whatsmychaincert.com/ – Brett Donald Aug 10 '16 at 07:52
  • If you server is NOT open to the internet you can download a test application like this: http://www.bolet.org/TestSSLServer/ – Brett Donald Aug 10 '16 at 07:54
  • I looked it up on "https://www.digicert.com/help/" and it said the certificate was ok but I got this error: "SSL Certificate is not trusted The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform." so yes I need to sort out the intermediate certificate. – D Brough Aug 10 '16 at 22:59
  • I quick Google and for 4D I just need to open the cert.pem file and paste the intermediate certificate in! – D Brough Aug 10 '16 at 23:22