CFNetwork SSLHandshake failed iOS 9
Solution 1
iOS 9 and OSX 10.11 require TLSv1.2 SSL for all hosts you plan to request data from unless you specify exception domains in your app's Info.plist file.
The syntax for the Info.plist configuration looks like this:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>yourserver.com</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow insecure HTTP requests-->
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
If your application (a third-party web browser, for instance) needs to connect to arbitrary hosts, you can configure it like this:
<key>NSAppTransportSecurity</key>
<dict>
<!--Connect to anything (this is probably BAD)-->
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
If you're having to do this, it's probably best to update your servers to use TLSv1.2 and SSL, if they're not already doing so. This should be considered a temporary workaround.
As of today, the prerelease documentation makes no mention of any of these configuration options in any specific way. Once it does, I'll update the answer to link to the relevant documentation.
Solution 2
In iOS 10+, the TLS string MUST be of the form "TLSv1.0". It can't just be "1.0". (Sigh)
The following combination of the other Answers works.
Let's say you are trying to connect to a host (YOUR_HOST.COM) that only has TLS 1.0.
Add these to your app's Info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>YOUR_HOST.COM</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSTemporaryExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
Solution 3
For more info Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11
Curiously, you’ll notice that the connection attempts to change the http protocol to https to protect against mistakes in your code where you may have accidentally misconfigured the URL. In some cases, this might actually work, but it’s also confusing.
This Shipping an App With App Transport Security covers some good debugging tips
ATS Failure
Most ATS failures will present as CFErrors with a code in the -9800 series. These are defined in the Security/SecureTransport.h header
2015-08-23 06:34:42.700 SelfSignedServerATSTest[3792:683731] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
CFNETWORK_DIAGNOSTICS
Set the environment variable CFNETWORK_DIAGNOSTICS to 1 in order to get more information on the console about the failure
nscurl
The tool will run through several different combinations of ATS exceptions, trying a secure connection to the given host under each ATS configuration and reporting the result.
nscurl --ats-diagnostics https://example.com
Solution 4
After two days of attempts and failures, what worked for me is this code of womble
with One change, according to this post we should stop using sub-keys associated with the NSExceptionDomains dictionary of that kind of Convention
NSTemporaryExceptionMinimumTLSVersion
And use at the new Convention
NSExceptionMinimumTLSVersion
instead.
my code
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>YOUR_HOST.COM</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
Solution 5
If your backend uses a secure connection ant you get using NSURLSession
CFNetwork SSLHandshake failed (-9801)
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
you need to check your server configuration especially to get ATS version and SSL certificate Info:
Instead of just Allowing Insecure Connection by setting NSExceptionAllowsInsecureHTTPLoads = YES
, instead you need to Allow Lowered Security in case your server do not meet the min requirement (v1.2) for ATS (or better to fix server side).
Allowing Lowered Security to a Single Server
<key>NSExceptionDomains</key>
<dict>
<key>api.yourDomaine.com</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
use openssl client to investigate certificate and get your server configuration using openssl client :
openssl s_client -connect api.yourDomaine.com:port //(you may need to specify port or to try with https://... or www.)
..find at the end
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: //
Session-ID-ctx:
Master-Key: //
Key-Arg : None
Start Time: 1449693038
Timeout : 300 (sec)
Verify return code: 0 (ok)
App Transport Security (ATS) require Transport Layer Security (TLS) protocol version 1.2.
Requirements for Connecting Using ATS:
The requirements for a web service connection to use App Transport Security (ATS) involve the server, connection ciphers, and certificates, as follows:
Certificates must be signed with one of the following types of keys:
Secure Hash Algorithm 2 (SHA-2) key with a digest length of at least 256 (that is, SHA-256 or greater)
Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits
Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits An invalid certificate results in a hard failure and no connection.
The following connection ciphers support forward secrecy (FS) and work with ATS:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Update: it turns out that openssl only provide the minimal protocol version Protocol : TLSv1 links
Related videos on Youtube
user3099837
Updated on October 11, 2020Comments
-
user3099837 over 3 years
has anyone with the iOS 9 beta 1 had this issue?
I use standard NSURLConnection to connect to a webservice and as soon as a call is made to the webservice i get the below error. This is currently working in iOS 8.3
Possible beta bug? any ideas or thoughts would be great ! I know its very early in iOS 9 development
Here is the full error:
CFNetwork SSLHandshake failed (-9824) NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
NSURLRequest * urlRequest = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://mywebserviceurl"]]; NSURLResponse * response = nil; NSError * error = nil; NSData * data = [NSURLConnection sendSynchronousRequest:urlRequest returningResponse:&response error:&error];
-
user3099837 about 9 yearsThank you so much for this response, hopefully the documentation will mention what the key will be to make the domain exceptions. Thanks again, your answer is very clear and i know many others are seeing the same thing under the ios9 beta forums
-
yuhua about 9 yearscan you post the link of documentation?
-
user3099837 about 9 yearsi think its so new they havent update their docs yet, when they do he said he would update answer.
-
user3099837 about 9 yearsApp Transport Security (ATS) lets an app add a declaration to its Info.plist file that specifies the domains with which it needs secure communication. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one. If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.
-
user3099837 about 9 yearsThe above may be what @StevenPeterson was talking about ! Its just not very detailed yet. aka what the keys are etc
-
Steven Peterson about 9 yearsAt the moment, this paragraph can be found here: developer.apple.com/library/prerelease/ios/releasenotes/General/…
-
user3099837 about 9 years@StevenPeterson your exactly right steven that works perfectly! i agree with you it would be better to either A) use TSL 1.2 or B) add a whitelist domains, hopefully they share those keys so we can add them too. Just out of curiosity how did you come up with that, did you get some documentation at wwdc ? Thanks again
-
Steven Peterson about 9 years@user3099837 Believe it or not, I actually used a raw text search app called EasyFind, and looked for the phrase "AppTransport", and I found a plist in the Xcode 7 bundle that has these keys. I found some other keys as well (NSExceptionDomains, NSTemporaryExceptionAllowsInsecureHTTPLoads, for example) but couldn't get them to work. I imagine we'll know the right way to format these entries in the coming days.
-
Steven Peterson about 9 yearsUpdated to include more information about domain-specific exceptions.
-
user3099837 about 9 years@StevenPeterson hey steve i cant seem to get the exceptions domain example to work , do you have any ideas by chance, i just copied and pasted into .plist changed TLSv1.1 to TLSv1.0 and the domain to our domain without the https:// etc
-
user3099837 about 9 yearsSorry for the long chat but i figured it out i needed to disable <key>NSTemporaryExceptionRequiresForwardSecrecy</key> <false/>
-
lost found about 9 yearsYour answer works for me and when i checked the TLS Version for my server at SSLLabs it shows TLS 1.2 and SSL 3
-
lost found about 9 yearsI am not sure if the requests are being blocked because SSL 3 is insecure
-
Rashmi Ranjan mallick about 9 yearsWhat's the key "NSTemporaryExceptionMinimumTLSVersion" used for?
-
Womble about 9 years@RashmiRanjanmallick NSTemporaryExceptionMinimumTLSVersion is used to tell ATS that you're working with a non 1.2 server. For example, use this if you are trying to connect to a host which uses TLS 1.0. You must also use NSTemporaryExceptionRequiresForwardSecrecy set to false, as user3099837 indicated above.
-
Rashmi Ranjan mallick about 9 yearsOk!! Actually our server supports SSLv3.0 (Insecure), TLSv1.0 and TLSv1.2. It doesn't support TLS1.1. I got this information from sslabs.com. I tried to add an exception for my server url using your answer. But, it fails everytime. Can you please help me in this case. Note: my server url format can be like m.myurl.com or m.anotherstring.myurl.com. It's not a random url. Basically I connect to two servers with above formats.
-
VaporwareWolf about 9 yearsBingo. I knew it had to do with ipv6 but didn't know where to modify. Thank you
-
Sean Dev almost 9 yearsste.vn/2015/06/10/… - This is the blog where the answer is sourced from.
-
CularBytes almost 9 yearsFor those that have Facebook integrated in their app and receive this since Xcode beta 5, check this link: developers.facebook.com/docs/ios/ios9 for their exceptions. Also look at the changelogs, as I write this, v4.6.0 is in beta that states
The SDK is Xcode 7 and iOS 9 beta 5 compatible.
Just wait till it is released I should say..: developers.facebook.com/docs/ios/change-log-4.x -
julien_c almost 9 yearsThe technical note from Apple has been updated a few days ago: developer.apple.com/library/prerelease/ios/technotes/… In particular, the key names were changed in the latest beta.
-
anoop4real almost 9 yearsMy app is currently in iOS8 SDK and the ipa which I am having has been tested in iOS9 beta 5 and it works and I am still using XCode 6.4 (I have a combination of http as well as https). Just wanted to know whether am I safe till they make XCode7 and iOS9 SDK mandatory?
-
webo80 almost 9 yearsOnly point that nscurl is only available in Mac OS X "El Capitan"
-
André Morujão over 8 yearsOne more debugging tip, to check which TLS connection cipher is being used by your server: curl -v https://<hostname>
-
Frade over 8 yearswhat if my server uses TLS 1.2?? why am I getting the error??
-
Josh Valdivieso over 8 yearsSeems that adding
NSTemporaryExceptionRequiresForwardSecrecy
did the trick for me, thanks! -
Aston over 8 yearsAny ideas on what may cause the problem if curl PASS all steps fine?
-
300baud over 8 yearsThis version didn't work for me on iOS9.1 - I needed to use the TLSVersion string format in one of the other answers <key>NSTemporaryExceptionMinimumTLSVersion</key> <string>TLSv1.1</string>
-
Idali over 8 yearsthe question remains is is it possible to interpretate openssl info to find out if the server meets requirement. Also Protocol : TLSv1 may be the makor version instead of 1.x
-
Idali over 8 yearsI make it general, in case using port
-
zaph over 8 yearsThe answer leaves more questions open than answered. It seems an issue may be the mappings between what openssl reports and the Apple documentation. It is not possible from the openssl output to determine if TLS 1.2 is supported. The answer also does not allow to determine if Perfect Forward Secrecy is supported.
-
Sam Heather over 8 years@Frade did you work this out? I'm having the same issue.
-
Frade over 8 years@SamHeather, I think it was the server's certificate that was expired. but I really don't remember for sure
-
YakirNa about 8 years@onmyway133 can you add explenation on how to "Set the environment variable CFNETWORK_DIAGNOSTICS to 1 "?
-
onmyway133 about 8 years@YakirNa you can read about how to do that here nshipster.com/launch-arguments-and-environment-variables it's pretty straightforward :)
-
theDC about 8 yearsThis works but my question is: does that mean my app doesn't use ssl when these parameters are on and data isn't encrypted?
-
Lopakhin almost 8 yearsvery useful to debug certificate problem
-
physicalattraction over 7 yearsThe top link is not available anymore. :-(