NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Question

Created Nov ’15

Replies 4

Boosts 0

Views 3.0k

Participants 3

I found plenty of entries in the beta archives, but nothing really answers my question.

My server has a GoDaddy TLS1.2 certificate and the server is set to allow TLSE1.2 ONLY as I need to have strict security. When executing a SOAP request via HTTPS I get the error NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824). From what I understood from the beta postings is that one can bypass security by placing a setting in info.plist. But that would defeat the purpose.

I have tested my certificate with https://www.ssllabs.com/ssltest/ and the report says my certificate and security is just fine. So does iOS 9.1 support TLS 1.2 or not ?

Answered by DTS Engineer in 84235022

Check this out:

$ TLSTool s_client -connect domino.flexdomino.net:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.2
* cipher: RSA_WITH_AES_256_GCM_SHA384
* trust result: unspecified
* certificate info:
*  0 rsaEncryption 4096 sha256-with-rsa-signature 'domino.flexdomino.net'
*  1 rsaEncryption 2048 sha256-with-rsa-signature 'Go Daddy Secure Certificate Authority - G2'
*  2 rsaEncryption 2048 sha256-with-rsa-signature 'Go Daddy Root Certificate Authority - G2'
^C

The problem is with the negotiated cypher suite (line 6), where the server has chosen a cypher suite that doesn’t provide forward secrecy. You can work around that by tweaking the ATS settings in your

Info.plist

, but if you want the best security you should just fix the server.

For context:

ATS is documented in the NSAppTransportSecurity section of Information Property List Key Reference.
TLSTool is sample code

ps I moved your thread to Core OS / Networking.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

flexier OP

Nov ’15

My website is domino.flexdomino.net

0

Answer 2

flexier OP

Nov ’15

Tried to allow older TLS version on server, same error on iOS.

0

Answer 3

DTS Engineer OP

Apple

Nov ’15

Accepted Answer

Check this out:

$ TLSTool s_client -connect domino.flexdomino.net:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.2
* cipher: RSA_WITH_AES_256_GCM_SHA384
* trust result: unspecified
* certificate info:
*  0 rsaEncryption 4096 sha256-with-rsa-signature 'domino.flexdomino.net'
*  1 rsaEncryption 2048 sha256-with-rsa-signature 'Go Daddy Secure Certificate Authority - G2'
*  2 rsaEncryption 2048 sha256-with-rsa-signature 'Go Daddy Root Certificate Authority - G2'
^C

The problem is with the negotiated cypher suite (line 6), where the server has chosen a cypher suite that doesn’t provide forward secrecy. You can work around that by tweaking the ATS settings in your

Info.plist

, but if you want the best security you should just fix the server.

For context:

ATS is documented in the NSAppTransportSecurity section of Information Property List Key Reference.
TLSTool is sample code

ps I moved your thread to Core OS / Networking.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

flexier2 OP

Nov ’15

Arrrgh, again (new) enforced encryption ciphers/protocols. My server was rated A-, the only thing it did not support was indeed forward secrecy. This was not supported by IBM (have a Lotus Notes Domino server) until recently (a hot fix was issued mid September). One can't install upgrades and hot fixes as fast as they come out to close upgrade security.

It works now!

Thanks eskimo, much appreciated.

0