NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)

App & System Services Networking
ardidev OP
Created Mar ’16
Replies 1
Boosts 0
Views 9.0k
Participants 2

I got this error:


NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)

The certificate for this server is invalid. You might be connecting to a server that is pretending to be “m.appcenter.monas.co.id” which could put your confidential information at risk.

I already set up the plist like this:


<key>NSAppTransportSecurity</key>

<dict>

<key>NSExceptionDomains</key>

<dict>

<key>m.appcenter.monas.co.id</key>

<dict>

<!--Include to allow subdomains-->

<key>NSIncludesSubdomains</key>

<true/>

<!--Include to allow insecure HTTP requests-->

<key>NSExceptionAllowsInsecureHTTPLoads</key>

<true/>

<!--Include to specify minimum TLS version-->

<key>NSExceptionMinimumTLSVersion</key>

<string>TLSv1.0</string>

<key>NSTemporaryExceptionRequiresForwardSecrecy</key>

<false/>

</dict>

</dict>

</dict>


can anyone helpme?

Replies  1
Boosts  0
Views  9.0k
Participants  2
DTS Engineer OP
Apple
Mar ’16

First up, I moved your thread to CoreOS > Networking because I’m pretty sure that Swift isn’t the problem here (-:

Next, I tried poking at your server, 

m.appcenter.monas.co.id
, but it doesn’t seem to be on the public Internet. 
$ ping m.appcenter.monas.co.id
ping: cannot resolve m.appcenter.monas.co.id: Unknown host

That puts a limit on how much I can help out here. If you run the following command and post the results, I should be able to offer more concrete advice.

$ TLSTool s_client -connect m.appcenter.monas.co.id:443 -noverify -showcerts

Note If the server is running on a port other than the standard HTTPS port, change “443” to that port number.

Error -9843 is 

errSSLHostNameMismatch
, meaning that the certificate returned by the server doesn’t match the DNS name that you’re connecting to. TLS requires that the DNS name you’re connecting to be present in either the Common Name of the certificate’s Subject, or listed in the Subject Alternate Names extension. It’s possible to override this if necessary, but it requires both App Transport Security changes and changes at the NSURL{Session,Connection} level. IMO it’s much better to fix the certificate.

Once I get the output from 

TLSTool
, I should be able to offer specific advice as to the necessary fix.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
First post date Last post date
 
 
Q