IOS 8 cannot connect to TLS 1.2

Error -9813 is

errSSLNoRootCert

, which doesn’t sound like the sort of error you’d get if the OS was having problems with the cypher suite negotiation or crypto. Rather, it indicates the OS is having problems building a path from the leaf to a trusted root. A common cause of this problem is that the server is configured incorrectly; specifically, it’s not returning all of the requested intermediate certificates as part of the TLS handshake.

Please run TLSTool against the server and post the results. For example:

$ ./TLSTool s_client -connect example.com:443 -noverify -showcerts

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 13 Jun through to Fri, 17 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

Hello, Below is the result of the TLSTool

$ ./TLSTool s_client -connect xxxxxxxx:443 -noverify -showcerts
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.2
* cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA384
* trust result: recoverable trust failure
* certificate info:
*   0 + rsaEncryption 2048 sha256-with-rsa-signature 'xxxxxxxxxx'
*   1 + rsaEncryption 4096 sha256-with-rsa-signature 'Tunisian Server Certificate Authority - TunServerCA2'
*   2 + rsaEncryption 4096 sha256-with-rsa-signature 'Tunisian Root Certificate Authority - TunRootCA2'
* certificate data:
*   0 3082067930820461a00302010202104159160412180411114e3a7d0feda87e300d06092a864886f70d01010b0500307c310b300906035504061302544e312e302c060355040a13254e6174696f6e616c204469676974616c2043657274696669636174696f6e204167656e6379313d303b0603550403133454756e697369616e2053657276657220436572746966696361746520417574686f72697479202d2054756e536572766572434132301e170d3136303431323030303030305a170d3138303431313233353935395a308186310b300906035504061302544e311b3019060355040a0c12415241422054554e495349414e2042414e4b310d300b060355040b0c04444353493116301406035504030c0d7777772e6174626e65742e746e3123302106092a864886f70d01090116147765626d6173746572406174622e636f6d2e746e310e300c06035504070c0554554e495330820122300d06092a864886f70d01010105000382010f003082010a0282010100d48b59af24719488b8a77483e29e28e2568b3cede24b5ce17924e72540656e122b73ffa3a9f9c4b445d84d1bed4adea6656e3b47750873855555fc70bcab06f87174d40d2f29b072e763d3e04b98a86b62c85a89a0ec8b4126b9e35e7529d451f594cddfda5cd422bf378f10052a51c8e4758c9d395a48a547945e1dd8e3c42a254655da9f4e649a93ed39ad7b22d639e34c8378e81e759d4f005607bc7bd1916b23f51e81ec3636c3a421718396a781b78eefd47b2913f586d12931b2265c694eb610dcd6d3caebff45a003e79fb37ed70c4dfa9e0028fde354f9d4d2526842f0b57a21e4cfb7a532535f573be055b23052b22a9633e8fe187b7b2b1532f8e30203010001a38201ea308201e6300c0603551d130101ff04023000300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302301f0603551d2304183016801487abf7694b50f66157ff3f5b8e1d70c6a26caac6303d0603551d1f043630343032a030a02e862c687474703a2f2f63726c2e63657274696669636174696f6e2e746e2f54756e5365727665724341322e63726c307b06082b06010505070101046f306d302d06082b060105050730018621687474703a2f2f6f6373702e63657274696669636174696f6e2e746e3a38303830303c06082b060105050730028630687474703a2f2f7777772e63657274696669636174696f6e2e746e2f7075622f54756e5365727665724341322e6372743081a70603551d2004819f30819c3081990608608614010206010830818c302c06082b06010505070201162068747470733a2f2f7777772e63657274696669636174696f6e2e746e2f637073305c06082b060105050702023050302c16254e6174696f6e616c204469676974616c2043657274696669636174696f6e204167656e637930030201011a2068747470733a2f2f7777772e63657274696669636174696f6e2e746e2f72706130200603551d110419301781155765624d616e61676572404154422e434f4d2e544e300d06092a864886f70d01010b050003820201001c772efe1848e4c93780c4fd9844013afae37751cc39ff1c819a03c74acbf15e08c6c82bdc6901c1fddba85e40fe324a2277bc261552b00182b2214b19335b30ba5f61973174f126be1c7f79e29a1de164c822f02852991fbf8f231dd147b50d43320732ea478af7744b6235c2e8d4ea236b6520350c2575f937e20ed7a7a614194613a71dedd4500710bd7a873abc680422626abce0bf5b0a23c73d4643f07c3844f0e740c8aab3fcdce9c9fc0d479a1677e7bb7a935e0d6b1cf8e256d3635d381f5f726d9a899c0a5db8585de3e68273901f7c1aafa4fed512ffbe963828ea752da96f5f696c87eb47b2f25b920a501df754fef6872fa9ef2d8e7700d73856569a7bdd522d95fa31027910c0edd86388d31820689d8897b4414bd64da73b703d171f19dec7cb06fd537cb8edd0df63d0ce89cfb935381559e5b0465a2fe47b4970e21a7c957a78a3ae71e6433523298c7a2375d516c851105af26017cab0eecf8f2e1f82678ada25c39a8d52e84b41e756113d90df007dde434fc3d8950c791f2926d57f55c8d6f89b842ca23f05c8dbc7444bfdf4fb359a09eb6c586c78898ca9ebdddcfa87398288fc0a38a71f3e70c5f46bd20ec11d6ad1971f8f9d485b345ebcfc130813f947881f27ced46346b3a9dd98af7a1000fad5638e1eeffda2c56c9d220855dbe080bb27bb4f1c53adab6015d1d56294b3c617813f55d6f2b0
*   1 308207453082052da0030201020210216615050625050514681e592cf41849300d06092a864886f70d01010b05003078310b300906035504061302544e313930370603550403133054756e697369616e20526f6f7420436572746966696361746520417574686f72697479202d2054756e526f6f74434132312e302c060355040a13254e6174696f6e616c204469676974616c2043657274696669636174696f6e204167656e6379301e170d3135303530373030303030305a170d3235303530373233353935395a307c310b300906035504061302544e312e302c060355040a13254e6174696f6e616c204469676974616c2043657274696669636174696f6e204167656e6379313d303b0603550403133454756e697369616e2053657276657220436572746966696361746520417574686f72697479202d2054756e53657276657243413230820222300d06092a864886f70d01010105000382020f003082020a0282020100bcbf7321f1b71955c9293e5e3fcfe9602b837be651a3bd671f005b3ccfc71b708bc65c1f6cca77e63c28e3de279621073c500fceb93e9c619f62283b6baf591eadd187970f9248b3402caaf1ab4af249fd9417f220df086dfbdcb99826fdfd13aa76a48203f55ce71b1455a1d116aab1f9dac8ef8ae9c5c31c9bda2206b1cb9c8742211b59ee415b96817b24f6155e004bb77eca97eefcc4b5343a06c3db16a93d4b941a92267e16c1bd23a5c5d4d249d717def502189d0bc545fb47664ff889df625370e756eb118b94cb8336798fa06a688da2b800dcf8289f63d6723e482bdf558ad7cb5e0cdd91f5f4f63d0be0d2aeef5f535c46a4d820cac229e484316d56738cb31cde8a5ed666350449396682454a52ee051a85126c3132b1a14b6940ca44b83b3e2c8e5a6c667321fe47c278904f64fa00450fa3e21efa3acc794d3cc258a9fe0e5df69aabfa6aca4b94b96001c96899b2a19974d9dd270390f75dd46e998c4eb25707cffee1defb23a7b3252f8465031bd5fd03146ba0d1ed009c94173ca015fa04f6dd3149e924d923e343faed44307f9b8e1c189058e1173da6c34fa4f93ee62b313e2b74fb2ad1b12db4844a305466e811b6e01b894a88bda8e1784185c7f0aa3b0ab3cd323be9e64ebe369d8e45f6e9eb87de45e998b63297f96b8016464a5ddde8e0ef56436ec51ec55214dc62cfaf1cda8664da0fdc3943e90203010001a38201c5308201c130120603551d130101ff040830060101ff020100301d0603551d0e0416041487abf7694b50f66157ff3f5b8e1d70c6a26caac6301f0603551d23041830168014cc73c5a36a293197a78da0d854c10a75b6233fa6300e0603551d0f0101ff040403020106303b0603551d1f043430323030a02ea02c862a687474703a2f2f63726c2e63657274696669636174696f6e2e746e2f54756e526f6f744341322e63726c307406082b0601050507010104683066302806082b06010505073001861c687474703a2f2f6f6373702e63657274696669636174696f6e2e746e303a06082b06010505073002862e687474703a2f2f7777772e63657274696669636174696f6e2e746e2f7075622f54756e526f6f744341322e6372743081a70603551d2004819f30819c3081990608608614010206010830818c302c06082b06010505070201162068747470733a2f2f7777772e63657274696669636174696f6e2e746e2f637073305c06082b060105050702023050302c16254e6174696f6e616c204469676974616c2043657274696669636174696f6e204167656e637930030201011a2068747470733a2f2f7777772e63657274696669636174696f6e2e746e2f727061300d06092a864886f70d01010b0500038202010017dd1ae4d30e3075d6c33c1e52506de74d477152c6f911262995f562f71a2a00ef571797e60f4245d298cb4448206aa6a405e5905beeee0b95c45ab8d4ed94560adb6b482026a181a2323c07b4b5f1fa62370473c1fdedbff9fa1cc0e37e50be4f70a438c20998b3b11d3279037d18dde51c7ac11a5a49b82237ec22fc345feab0ff40039c51ed14622671f2d9c20683568456953506db8f0e4bd61f591c9d5deb668c3ad2a4321e65cb08eb48e6e8e918367ee890a7de17eded6d28c6d84f55b6abab32c795216979a0a922adbdc269b2ce3770e30883c62f58651a2b969ae3a1ababf8e20987c41f10f73203ebb818ca5330b6c20307c6e397beb9a926e7b6099edd6761d0284151feaadd53ef6fc3097cb02659bf60e8cf72cdc5156aa41aeb4c839d88581638f69574e42e383c2c58f9a33594212c41ff5ca7d14d71804469a0bdbc178316b3dfa2851fa8cd273d64398214f725baa18348bbf396d4b19b2ec54b1c1fc2fadec68d7d64c97ca059c1445ceea602ad3bc0381bbd9427ef841832dc4af4f284be4f5949de89722e3b5c547c9fe6206a856cf993fa0f382ea55b9a8c612161e115adc6c5341e1a60169e8d6f3b4906a7248207a7a70181545b141d5d743f320a4c535815a0e52e2bbeb7aac961f0a63617dfb86b177e737162f43e9292dc38c1997baa1eaeb6a8c245bbfe736793c2b19c532de5e7eeefd936
*   2 308205bc308203a4a00302010202102166150505270505bc8ab01daf0abec4300d06092a864886f70d01010b05003078310b300906035504061302544e313930370603550403133054756e697369616e20526f6f7420436572746966696361746520417574686f72697479202d2054756e526f6f74434132312e302c060355040a13254e6174696f6e616c204469676974616c2043657274696669636174696f6e204167656e6379301e170d3135303530353038353730315a170d3237303530353038353730315a3078310b300906035504061302544e313930370603550403133054756e697369616e20526f6f7420436572746966696361746520417574686f72697479202d2054756e526f6f74434132312e302c060355040a13254e6174696f6e616c204469676974616c2043657274696669636174696f6e204167656e637930820222300d06092a864886f70d01010105000382020f003082020a0282020100b007e762fbd00d55ce67b7578d6e0ca927541eeba924ab678f8f9c610fdb28322f3bf82c65922daeba3392c02b9ef21f5e6d235db3581f8da1c06d75850ab0134e5b56468b39bd0b82bb3a439b08ba46eef917ebcdc8d7e37513deae51480ace2095469f02ec558c74aa5afcfcea0933356ea34706c7dd7e84680ec712ca94c3ede66c026dde028935b304cb45f87c47a4d31fdfe55c23e2f3227bb94ba2fd17355d48e9bff5b325638be778ebfc7527bd885ca6853f41df957cdd7a468ffe1edab1abd8d38ecd068cc9d852421152a2838f5c837be427b68f1fa05e3dd2757d7953930697e303c7962cda013c79c53b50e8b0d3a1a4e2d3837d44f810cfa01a2af26580bd77c1986576ae122162ca3abebeb599c35bc4d1bf9bc00aca581e15a6d7215eb14d0ae570789a68e6746632142a1e11be88f706f655a3c31f6e179055d18a40895643d54fe6a2c988640005513f57b43cb6be6a917140f1a25cf1d7ed9cb657f659d42a11e5d4e5bfbb1ed1c8d75f44059bbb893aada743777e15607c885d9beca55cd246ad0c8b5445d49451554552aa5cd811acf856226cd9d214e9b74e42855446f801c63d260677e8b2351bf09d42c97ffe80270150cb7fc5ac54fa6b6d968c41a4a1d2e7b591486f771c8bc22b74fe3c5cc45d94ceabf120966bc10c5a5ff9e535b96ca31067ef91aa480eef48b7765862d9be9e42b3a4bd350203010001a3423040301d0603551d0e04160414cc73c5a36a293197a78da0d854c10a75b6233fa6300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820201002ef28748ed999e9f010c3cc90a78537c1835deb6e56cf40080e19b8bd9fafbaafb65b7d2c9f5d7a7cb7ec9b1a271586d5937d6e03310cab5d972db4e2537aaa6dd1d18bdf5c98a9c7a88ee1f02c42d92547d57e25c191823027a5c4995b698e7c260416540bbec5ab7719c50f27376fb5f0def35cfb4698d85e84c9017030bc9b32e2037631162a64fe334e0fb7955e7c6c2ae42feb0346c49230e72077b66055548fb120fa0c0fa4ed1fb3dccfefd164b5650cd112ca79bf7b10acfa6ebefdd8eb8ae42087ca48c94ea86c743e3f73c8adf47d23040c82d53f56f1149cc218c96434f10a047a1568d1f1c5bd8565beb3476e1353a71d4cc212f9e3528f25ade9ee4ee476a10e838bd4ab47d047f05ae480ab403bf2eb30a1b9fcbaddd4dd08721b7477682832dc757be9a15a31b30186ca33a716f64472892db1161209a77652df9ac56136c4ba35fff9ba4e8efe758e87b9e3b7f6aa7be390a1394c9484e6664d8534cec416bfdfc362ed70edf610b7bb540acdd42496d9e80bf6095f0e9c03f7bbb18e938b5564ea77e8a62ef981ef87840a9bbd8e9e5b4b4f9e3679cec53cfb842b42f938135a06cf6ba208a683df76dff7fd34cf77a94680377433b3551aa53123e47131439acd6658fa846ff3c21f4d2bfd048a47ea7519b9712f59934172356841363cb34ca1fcabaa80729f343240a497ffd0ed490f0ab4321629c8f


* output stream has space
GET / HTTP/1.1
* output stream has space
Host: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
* output stream has space
Connection: close
* output stream has space


* output stream has space
*  input stream has bytes
HTTP/1.1 200 OK
Date: Mon, 06 Jun 2016 08:23:52 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains;preload
Last-Modified: Tue, 12 Apr 2016 19:46:13 GMT
ETag: "625a-12e-5304ee9e16b40"
Accept-Ranges: bytes
Content-Length: 821
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Set-Cookie: cookie_encrypt=!40EcAwD1L3z2P442VGeIaiLvh7Re4ZuTBEfz2J3pnt8lD6IZ00XZXs436ZvRg84cMbvggGhm16uLpSaRMAiiu68CQrau6YBB/2tDF9j9ZqCm1bGnEP+eMd5Y1f7xkD7WaAaHtnVQkfOp1FuPWxg2CY1vkuQoaEQucLgbCWmMPhY1VmV8j6XHFcSBEfmp7wQlo2WMbdAOiO4Ef+kJMAq7t8fuyznxXAJ0H4KCxZrs9hlzyXWhk6bKdt1xI3Je74wJpWH4l1jwkA==; path=/; Httponly; Secure
Set-Cookie: TS01b20d2c=01c614153de58024e46ff8d4680c3c848be8b08ed287316d482d0373ea876a462b26eeaddd8aafff9ec36581e694048f63ce677c10; Path=/
Set-Cookie: TS01b20d2c_28=0197733a13c435cf0d64ea7684f62ca2df84ae8fc7b948601c4d188710b891dd5410dfd32f04b4c6c8b702225ddb064220277ab706; Path=/; Secure


<html>
<HEAD>
<META HTTP-EQUIV=Refresh CONTENT="1;URL=https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?request_locale=fr_FR&request_country=TN">
<!--CONTENT="1;URL=https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?request_locale=fr_FR&request_country=TN">
-->


<script type="text/javascript">
<!--
window["_csrf_"] = "083ff69818848800cf3f3e9f2278693dfe69a6a7f55d1f06dcf46b238dfb6f0b10101b7d17dfd291b9542c28739e0e6d4d370f93bcc3f481c18547006c66892d15e2c19e12eade39f59d90fed42267635bc8c2f65e7b7717c9856e66d34cf0cb3453dbd551f1c89d38ef72d35528445ba906a2c05ac5de4ae0848fd24a056aa7177594455cc4bf3dbbc797f6e6793943";
//-->
</script>
<script type="text/javascript" src="/TS01b20d2c/08284619c5ab2000db7d72a0a4f6ef96883b75cea607b56ebdbd6f34f21cf038e11e9835888c215b?type=4"></script>
</HEAD>
<body></body>
</html>


*  input stream has bytes
*  input stream has bytes
*  input stream end
* close
* bytes sent 51, bytes received 1823

AFAICT the reason why this fails is that the certificate authority that issued your server certificate (“Tunisian Root Certificate Authority - TunRootCA2”) is not trusted by iOS by default. You can find a list of trusted certificate authorities in this article.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 13 Jun through to Fri, 17 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

Hi, Based on the link above, TunRootCA2 is not listed neither for IOS 8 or 9 so in theory if it fails on IOS 8 is should fail on IOS 9 which is not the case.

Is there any way to add the certificate to the phone's trusted certificates with the application or the certificate should be issued by another certification authority (From the trusted List)?

Based on the link above, TunRootCA2 is not listed neither for IOS 8 or 9 so in theory if it fails on IOS 8 is should fail on IOS 9 which is not the case.

I was testing on iOS 9 and it failed there too. It’s possible that your iOS 9 device has this CA’s certificate installed in the system trust store. If not, I have no explanation for why you’re seeing different results there.

Is there any way to add the certificate to the phone's trusted certificates with the application or the certificate should be issued by another certification authority (From the trusted List)?

Apps can’t modify the system trust store.

A user can modify the system trust store by installing a configuration profile (either directly or via MDM).

An app can override HTTPS server trust evaluation for its connections using the techniques describing in Technote 2232 HTTPS Server Trust Evaluation. The main gotcha here is App Transport Security. If you customise HTTPS server trust evaluation, you have disable parts of ATS, which is not a good idea in general.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 13 Jun through to Fri, 17 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/