NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

App & System Services Networking
Shahaleel OP
Created Oct ’15
Replies 3
Boosts 0
Views 11k
Participants 3

I'm trying to connect my iOS app to an HTTPS site runs in my network. I can access the site from my browser with 

http://domain.com.sa but not through the app. I have tried setting the ATS and disabling it too. but the same error appeared:


NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)


I am using xcode 7, Swift 2 and testing the app on iphone with iOS 9.



Any idea how to fix this ?

Replies  3
Boosts  0
Views  11k
Participants  3
DTS Engineer OP
Apple
Oct ’15

First up, I moved your question to Core OS > Networking because problems like this are typically not Swift specific.

Second, you wrote:

I'm trying to connect my iOS app to an HTTPS site runs in my network.

and then you wrote:

I can access the site from my browser with http:…

which left me confuse as to whether you’re actually using HTTP or HTTPS. Which is it?

If you’re using HTTP then you’ll need an ATS dictionary that with an 

NSExceptionAllowsInsecureHTTPLoads
entry for your domain, because HTTP has no security.

OTOH, if you’re using HTTPS then it’s probably worth figuring out what ATS is complaining about and using the most specific exception possible. To do that, use 

nscurl
tool, as described in the App Transport Security Technote.

btw Is 

domain.com.sa
your actual server, or just some example? I was enable to connect to it on either both port 80 (HTTP) or port 443 (HTTPS).

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
NSFab OP
Oct ’15

Hi, it seems we got the same issue.


We're running an Apache server 2.2.29, mod_ssl 2.2.29 with openssl 1.0.1p and our app stopped to work since iOS 9.


We think we have implemented all we need to be compliant to ATS, we got TLS 1.2, self signed SHA-256 with RSA encryption certificate, forward secrecy enabled, the app call a php page that performs a query on mysql server and this part works fine.


When we choose a record there's a uiwebview that should render php page containing a svg file and javascript code (called from the app), this worked

fine and fast before iOS 9 now we can't fix that and we got: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)


What we see on the Apache log once called the page is:

[16/Oct/2015:11:22:50 +0200] 10.114.158.169 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "POST /svg/locate.php HTTP/1.1" 1458


We've tried all the possibile combinations in the plist file, putting NSAllowsArbitraryLoads to YES, NSExceptionAllowsInsecureHTTPLoads to YES, etc but it seems ignoring those exceptions. What I noted is that if write NSAllowsArbitraryLoads to NO the app can't perform the call to the php file that does the query in mysql, so I've to leave it on YES.


In fact, if I delete the NSAllowArbitraryLoads key what I got in the log is (sorry if it's too long):

2015-10-16 11:59:14.921 DCAsset_Beta[824:247478] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

2015-10-16 11:59:14.931 DCAsset_Beta[824:247377] ERROR DESCRIPTION = Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x12eec30f0>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=<CFArray 0x12eeb49c0 [0x19e223b68]>{type = immutable, count = 1, values = (

0 : <cert(0x12eeb9a80) s: apps.telecomitalia.local i: apps.telecomitalia.local>

)}, NSUnderlyingError=0x12edcf960 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x12eec30f0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=<CFArray 0x12eeb49c0 [0x19e223b68]>{type = immutable, count = 1, values = (

0 : <cert(0x12eeb9a80) s: apps.telecomitalia.local i: apps.telecomitalia.local>

)}}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://apps.telecomitalia.local/update_ls.php, NSErrorFailingURLStringKey=https://apps.telecomitalia.local/update_ls.php, NSErrorClientCertificateStateKey=0}


We spent many hours, really, and can't figure out how to fix our app.


Any help would be greatly appreciated.


Fabrizio

DTS Engineer OP
Apple
Oct ’15

It’s hard to say exactly what’s gone wrong based on the info you’ve posted so far. Did you try 

nscurl
, as I mentioned in my previous post? What did it show?

Also, grab the TLSTool sample code, build and run it on 10.11, point it your server, and then post the result here.

For example, here’s what I shows when I run it against DevForums.

$ TLSTool s_client -connect forums.developer.apple.com:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.2
* cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA384
* trust result: unspecified
* certificate info:
*   0 rsaEncryption 2048 sha256-with-rsa-signature 'forums.developer.apple.com'
*   1 rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 EV SSL CA - G3'
*   2 rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5'
^C

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
First post date Last post date
 
 
Q