CFNetwork SSLHandshake failed iOS 9

ios ssl nsurlconnection ios9

120,239

Solution 1

iOS 9 and OSX 10.11 require TLSv1.2 SSL for all hosts you plan to request data from unless you specify exception domains in your app's Info.plist file.

The syntax for the Info.plist configuration looks like this:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>yourserver.com</key>
    <dict>
      <!--Include to allow subdomains-->
      <key>NSIncludesSubdomains</key>
      <true/>
      <!--Include to allow insecure HTTP requests-->
      <key>NSExceptionAllowsInsecureHTTPLoads</key>
      <true/>
      <!--Include to specify minimum TLS version-->
      <key>NSExceptionMinimumTLSVersion</key>
      <string>TLSv1.1</string>
    </dict>
  </dict>
</dict>

If your application (a third-party web browser, for instance) needs to connect to arbitrary hosts, you can configure it like this:

<key>NSAppTransportSecurity</key>
<dict>
    <!--Connect to anything (this is probably BAD)-->
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

If you're having to do this, it's probably best to update your servers to use TLSv1.2 and SSL, if they're not already doing so. This should be considered a temporary workaround.

As of today, the prerelease documentation makes no mention of any of these configuration options in any specific way. Once it does, I'll update the answer to link to the relevant documentation.

Solution 2

In iOS 10+, the TLS string MUST be of the form "TLSv1.0". It can't just be "1.0". (Sigh)

The following combination of the other Answers works.

Let's say you are trying to connect to a host (YOUR_HOST.COM) that only has TLS 1.0.

Add these to your app's Info.plist

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>YOUR_HOST.COM</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.0</string>
            <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
            <false/>
        </dict>
    </dict>
</dict>

Solution 3

For more info Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11

Curiously, you’ll notice that the connection attempts to change the http protocol to https to protect against mistakes in your code where you may have accidentally misconfigured the URL. In some cases, this might actually work, but it’s also confusing.

This Shipping an App With App Transport Security covers some good debugging tips

ATS Failure

Most ATS failures will present as CFErrors with a code in the -9800 series. These are defined in the Security/SecureTransport.h header

2015-08-23 06:34:42.700 SelfSignedServerATSTest[3792:683731] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

CFNETWORK_DIAGNOSTICS

Set the environment variable CFNETWORK_DIAGNOSTICS to 1 in order to get more information on the console about the failure

nscurl

The tool will run through several different combinations of ATS exceptions, trying a secure connection to the given host under each ATS configuration and reporting the result.

nscurl --ats-diagnostics https://example.com

Solution 4

After two days of attempts and failures, what worked for me is this code of womble

with One change, according to this post we should stop using sub-keys associated with the NSExceptionDomains dictionary of that kind of Convention

  NSTemporaryExceptionMinimumTLSVersion

And use at the new Convention

  NSExceptionMinimumTLSVersion

instead.

apple documentation

my code

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>YOUR_HOST.COM</key>
            <dict>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSExceptionMinimumTLSVersion</key>
                <string>TLSv1.0</string>
                <key>NSExceptionRequiresForwardSecrecy</key>
                <false/>
                <key>NSIncludesSubdomains</key>
                <true/>
            </dict>
        </dict>
    </dict>

Solution 5

If your backend uses a secure connection ant you get using NSURLSession

CFNetwork SSLHandshake failed (-9801)
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

you need to check your server configuration especially to get ATS version and SSL certificate Info:

Instead of just Allowing Insecure Connection by setting NSExceptionAllowsInsecureHTTPLoads = YES , instead you need to Allow Lowered Security in case your server do not meet the min requirement (v1.2) for ATS (or better to fix server side).

Allowing Lowered Security to a Single Server

<key>NSExceptionDomains</key>
<dict>
    <key>api.yourDomaine.com</key>
    <dict>
        <key>NSExceptionMinimumTLSVersion</key>
        <string>TLSv1.0</string>
        <key>NSExceptionRequiresForwardSecrecy</key>
        <false/>
    </dict>
</dict>

use openssl client to investigate certificate and get your server configuration using openssl client :

openssl s_client  -connect api.yourDomaine.com:port //(you may need to specify port or  to try with https://... or www.)

..find at the end

SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: //
    Session-ID-ctx: 
    Master-Key: //
    Key-Arg   : None
    Start Time: 1449693038
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

App Transport Security (ATS) require Transport Layer Security (TLS) protocol version 1.2.

Requirements for Connecting Using ATS:

The requirements for a web service connection to use App Transport Security (ATS) involve the server, connection ciphers, and certificates, as follows:

Certificates must be signed with one of the following types of keys:

Secure Hash Algorithm 2 (SHA-2) key with a digest length of at least 256 (that is, SHA-256 or greater)

Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits An invalid certificate results in a hard failure and no connection.

The following connection ciphers support forward secrecy (FS) and work with ATS:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Update: it turns out that openssl only provide the minimal protocol version Protocol : TLSv1 links

View more solutions

120,239

user3099837

Updated on October 11, 2020

Comments

user3099837 over 3 years
has anyone with the iOS 9 beta 1 had this issue?

I use standard NSURLConnection to connect to a webservice and as soon as a call is made to the webservice i get the below error. This is currently working in iOS 8.3

Possible beta bug? any ideas or thoughts would be great ! I know its very early in iOS 9 development

Here is the full error:

CFNetwork SSLHandshake failed (-9824) NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
```
 NSURLRequest * urlRequest = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://mywebserviceurl"]];
        NSURLResponse * response = nil;
        NSError * error = nil;
        NSData * data = [NSURLConnection sendSynchronousRequest:urlRequest
                                                  returningResponse:&response
                                                              error:&error];
```
user3099837 about 9 years

Thank you so much for this response, hopefully the documentation will mention what the key will be to make the domain exceptions. Thanks again, your answer is very clear and i know many others are seeing the same thing under the ios9 beta forums
yuhua about 9 years

can you post the link of documentation?
user3099837 about 9 years

i think its so new they havent update their docs yet, when they do he said he would update answer.
user3099837 about 9 years

App Transport Security (ATS) lets an app add a declaration to its Info.plist file that specifies the domains with which it needs secure communication. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one. If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.
user3099837 about 9 years

The above may be what @StevenPeterson was talking about ! Its just not very detailed yet. aka what the keys are etc
Steven Peterson about 9 years

At the moment, this paragraph can be found here: developer.apple.com/library/prerelease/ios/releasenotes/Gene‌ral/…
user3099837 about 9 years

@StevenPeterson your exactly right steven that works perfectly! i agree with you it would be better to either A) use TSL 1.2 or B) add a whitelist domains, hopefully they share those keys so we can add them too. Just out of curiosity how did you come up with that, did you get some documentation at wwdc ? Thanks again
Steven Peterson about 9 years

@user3099837 Believe it or not, I actually used a raw text search app called EasyFind, and looked for the phrase "AppTransport", and I found a plist in the Xcode 7 bundle that has these keys. I found some other keys as well (NSExceptionDomains, NSTemporaryExceptionAllowsInsecureHTTPLoads, for example) but couldn't get them to work. I imagine we'll know the right way to format these entries in the coming days.
Steven Peterson about 9 years

Updated to include more information about domain-specific exceptions.
user3099837 about 9 years

@StevenPeterson hey steve i cant seem to get the exceptions domain example to work , do you have any ideas by chance, i just copied and pasted into .plist changed TLSv1.1 to TLSv1.0 and the domain to our domain without the https:// etc
user3099837 about 9 years

Sorry for the long chat but i figured it out i needed to disable <key>NSTemporaryExceptionRequiresForwardSecrecy</key> <false/>
lost found about 9 years

Your answer works for me and when i checked the TLS Version for my server at SSLLabs it shows TLS 1.2 and SSL 3
lost found about 9 years

I am not sure if the requests are being blocked because SSL 3 is insecure
Rashmi Ranjan mallick about 9 years

What's the key "NSTemporaryExceptionMinimumTLSVersion" used for?
Womble about 9 years

@RashmiRanjanmallick NSTemporaryExceptionMinimumTLSVersion is used to tell ATS that you're working with a non 1.2 server. For example, use this if you are trying to connect to a host which uses TLS 1.0. You must also use NSTemporaryExceptionRequiresForwardSecrecy set to false, as user3099837 indicated above.
Rashmi Ranjan mallick about 9 years

Ok!! Actually our server supports SSLv3.0 (Insecure), TLSv1.0 and TLSv1.2. It doesn't support TLS1.1. I got this information from sslabs.com. I tried to add an exception for my server url using your answer. But, it fails everytime. Can you please help me in this case. Note: my server url format can be like m.myurl.com or m.anotherstring.myurl.com. It's not a random url. Basically I connect to two servers with above formats.
VaporwareWolf about 9 years

Bingo. I knew it had to do with ipv6 but didn't know where to modify. Thank you
Sean Dev almost 9 years

ste.vn/2015/06/10/… - This is the blog where the answer is sourced from.
CularBytes almost 9 years

For those that have Facebook integrated in their app and receive this since Xcode beta 5, check this link: developers.facebook.com/docs/ios/ios9 for their exceptions. Also look at the changelogs, as I write this, v4.6.0 is in beta that states The SDK is Xcode 7 and iOS 9 beta 5 compatible. Just wait till it is released I should say..: developers.facebook.com/docs/ios/change-log-4.x
julien_c almost 9 years

The technical note from Apple has been updated a few days ago: developer.apple.com/library/prerelease/ios/technotes/… In particular, the key names were changed in the latest beta.
anoop4real almost 9 years

My app is currently in iOS8 SDK and the ipa which I am having has been tested in iOS9 beta 5 and it works and I am still using XCode 6.4 (I have a combination of http as well as https). Just wanted to know whether am I safe till they make XCode7 and iOS9 SDK mandatory?
webo80 almost 9 years

Only point that nscurl is only available in Mac OS X "El Capitan"
André Morujão over 8 years

One more debugging tip, to check which TLS connection cipher is being used by your server: curl -v https://<hostname>
Frade over 8 years

what if my server uses TLS 1.2?? why am I getting the error??
Josh Valdivieso over 8 years

Seems that adding NSTemporaryExceptionRequiresForwardSecrecy did the trick for me, thanks!
Aston over 8 years

Any ideas on what may cause the problem if curl PASS all steps fine?
300baud over 8 years

This version didn't work for me on iOS9.1 - I needed to use the TLSVersion string format in one of the other answers <key>NSTemporaryExceptionMinimumTLSVersion</key> <string>TLSv1.1</string>
Idali over 8 years

the question remains is is it possible to interpretate openssl info to find out if the server meets requirement. Also Protocol : TLSv1 may be the makor version instead of 1.x
Idali over 8 years

I make it general, in case using port
zaph over 8 years

The answer leaves more questions open than answered. It seems an issue may be the mappings between what openssl reports and the Apple documentation. It is not possible from the openssl output to determine if TLS 1.2 is supported. The answer also does not allow to determine if Perfect Forward Secrecy is supported.
Sam Heather over 8 years

@Frade did you work this out? I'm having the same issue.
Frade over 8 years

@SamHeather, I think it was the server's certificate that was expired. but I really don't remember for sure
YakirNa about 8 years

@onmyway133 can you add explenation on how to "Set the environment variable CFNETWORK_DIAGNOSTICS to 1 "?
onmyway133 about 8 years

@YakirNa you can read about how to do that here nshipster.com/launch-arguments-and-environment-variables it's pretty straightforward :)
theDC about 8 years

This works but my question is: does that mean my app doesn't use ssl when these parameters are on and data isn't encrypted?
Lopakhin almost 8 years

very useful to debug certificate problem
physicalattraction over 7 years

The top link is not available anymore. :-(