HTTPS Connection Issues Following iOS 26 Beta 6 Update

We are writing to report a critical issue we've encountered following the recent release of iOS 26 beta 6.

DevForums isn’t the right place to report problems like this. You should instead be using Feedback Assistant. For specific advice on that process, see Bug Reporting: How and Why?

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi Quinn,

Thanks for the guidance.

I have already filed a report in Feedback Assistant for this issue, which I did at the same time as I created this post.

The Feedback ID is: FB19729881

I'd still appreciate any information or potential workarounds that might be shared here in the meantime.

Thanks again.

I have already filed FB19729881

Thanks.

It’s helpful to include bug numbers in your forums posts so that (Apple folks at least) can see the extra context.

iOS 26.0b7 (23A5326a) landed yesterday. Have you had a chance to try things out there? If not, please do, and then update your bug with your results.

Now, I just happen to have a 26.0b6 (23A5318c) device that I haven’t upgraded to b7 yet, so I thought I’d give this a try.

I created a new test project and added code like this:

do {
    print("will run task")
    let url = URL(string: "https://i.socdm.com/sdk/js/adg-script-loader-b-stg.js")!
    let request = URLRequest(url: url, cachePolicy: .reloadIgnoringLocalCacheData, timeoutInterval: 60.0)
    let (data, response) = try await URLSession.shared.data(for: request)
    let httpResponse = response as! HTTPURLResponse
    print("did run task, status: \(httpResponse.statusCode), bytes: \(data.count)")
} catch let error as NSError {
    print("did not run task, error: \(error.domain) / \(error.code)")
}

I then ran it on my test device. It failed with a TLS error. And just to be sure that this isn’t a general problem, I ran it on 18.5, device and simulator, and it worked there:

will run task
did run task, status: 403, bytes: 0

Curiously, when I run it on the iOS 26.0 simulator that comes with Xcode 26.0b6 (17A5305f), it works. That simulator identifies as build 23A5326a.

So, to summarise:

Type      | Build             | Result
----      | -----             | ------
device    | 26.0b6 (23A5318c) | NG
device    | 18.5              | OK
simulator | 18.5              | OK
simulator | 26.0b7 (23A5326a) | OK

Given that last result, I decided to upgrade my test device to 26.0b7. I was actually kinda surprised that it also failed with a TLS error. So let’s add this entry:

Type      | Build             | Result
----      | -----             | ------
device    | 26.0b7 (23A5326a) | NG

Note I was surprised because the simulator is normally pretty good about reproducing TLS errors.

Curiously, the underlying TLS error I got was -9802 (errSSLFatalAlert), whereas you’re reporting -9807 (errSSLXCertChainInvalid). It’s not uncommon to see TLS fatal alerts being synthesised by App Transport Security (ATS), so I decided to nobble ATS completely using NSAllowsArbitraryLoads. And with that I started seeing the -9807 error.

IMPORTANT Nobbling ATS is just for the sake of testing, not something that I’m proposing as part of a workaround.

After reproducing the issue I dug around in the system log, which turned up this:

type: default
time: 2025-08-19 12:46:35.354239 +0100
process: Test797299
subsystem: com.apple.securityd
category: SecError
message: Trust evaluate failure: [leaf SystemTrustedCTRequired]

This suggests that your server’s leaf certificate is missing the required Signed Certificate Timestamps (SCT).

Now, at this point we kinda run off my ability to easily debug things. I don’t have a lot of practical experience with debugging CT issues, so I’m not sure how to check whether this is an issue with iOS or with your CT setup.

I recommend that you ask the folks who issued your certificate to double check that it’s SCTs meet Apple’s requirements. Which, as far as I know, are still the ones documented in Apple's Certificate Transparency policy.

If not, that’s an issue for you to fix on your side. But if you confirm that your CT setup is OK, add the evidence of that to your bug report so that our engineering teams have a place to start.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi Quinn,

Thank you very much for your detailed investigation and report.

As you suggested, we are now preparing to contact our Certificate Authority (CA). In the meantime, while we await their response, we have conducted our own preliminary investigation into the SCTs, and we would like to share our methodology and findings.

Our goal was to verify if the SCT Log IDs served by i.socdm.com are included in the trusted CT log lists provided by Apple and Google.

Our verification process is as follows:

Extract the Log IDs from the server's certificate chain and convert them to Base64.

Check for the presence of these Base64 Log IDs within the official log lists from Apple and Google.

Commands and References Used:

Log ID Extraction Command:

domain="i.socdm.com"
log_ids=$(echo | openssl s_client -servername "$domain" -connect "$domain:443" 2>/dev/null | \
          openssl x509 -text -noout | \
          awk '/Log ID/{sub(/.*: /,""); printf "%s", $0; getline; sub(/^[ \t]+/, ""); print}' | \
          tr -d ':')
while IFS= read -r hex_id; do
    base64_id=$(echo "$hex_id" | xxd -r -p | base64)
    echo $base64_id
done <<< "$log_ids"

Apple: https://valid.apple.com/ct/log_list/current_log_list.json

Google: https://www.gstatic.com/ct/log_list/v3/log_list.json

Preliminary Findings:

Based on our current understanding and the verification method described above, it appears that the extracted Log IDs are present in both Apple's and Google's trusted lists. However, we are not certain if our verification method is exhaustive, which is one of the reasons we are also consulting our CA.

Next Steps:

We will continue our investigation into the CT configuration. However, as you noted, debugging CT issues can be complex, and we anticipate challenges.

Given this, we would appreciate it if your team could continue to investigate the possibility of an issue within iOS itself.

We will update the bug report (FB19729881) as soon as we have a response from our CA or any further findings from our side.

Thank you for your continued support.

First up, I want to pass along a big “thank you” from the folks who manage our CT infrastructure. Your bug let them quickly identify the root cause of this issue, which is a configuration problem at our end O-:

The timing of this is a bit tricky. I can’t predict the future, obviously, but there may be a short window (weeks not months) between the release of iOS 26 and the release of this fix where your customers are affected by the issue. If that’s likely to cause you significant grief, you’ll need a workaround.

To understand the workaround I need to explain a little bit about the bug…

The bug you’ve found means that iOS won’t trust certificates issued by your CA in the 8 hours between 2026-07-01 00:00:00 GMT and 2026-07-01 08:00:00 GMT. And lo! your server’s certificate just happens to expire in that range:

% openssl x509 -inform der -in leaf.cer -text
…
        Validity
            Not Before: May 30 06:03:02 2025 GMT
            Not After : Jul  1 06:03:01 2026 GMT
…

That’s just bad luck )-:

The workaround is to ask your CA to issue you a new certificate that expires outside of that window. Once you update your servers to use that, you’ll no longer see this failure.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi Quinn,

Thank you for your investigation and for providing a clear explanation of the root cause. We appreciate the detailed analysis and the suggested workaround.

Following up on the original point of investigation, we consulted our Certificate Authority regarding SCT compliance with Apple's policy. They have confirmed that our certificate is indeed compliant. Therefore, we are hopeful that the workaround you've proposed will be successful in resolving this issue.

Next Steps: Based on your recommendation, we will initiate the process with our CA to request a new server certificate with a Not After date that falls outside the problematic 8-hour window on July 1, 2026.

As this process will require some time to complete, we will provide an update in this thread as soon as the new certificate is deployed and we have had the opportunity to validate the results.

Thank you again for your continued support on this matter.

Hi Quinn,

While we await the issuance of the new certificate, we would like to confirm a couple of points to deepen our understanding of this issue.

First, is there any possibility that this bug will be fixed in a version later than beta8?

Second, to verify that this is an issue specific to a certain period, would you be able to provide any other FQDNs and requestable URLs that are known to exhibit the same problem, aside from the one we have already presented?

Thank you for your continued support.

is there any possibility that this bug will be fixed in a version later than beta8?

I have to be careful when talking about The Future™. I’m not allowed to pre-announce stuff, which means that I can’t even say whether there will or won’t be an iOS 26.0b8.

To further muddy the waters, fixes like this don’t necessarily need to ship as part of the OS. Apple has the ability to push over-the-air updates for security-related stuff.

So, I was deliberately vague in my previous response, and I’m not able to be less vague here. Sorry.

would you be able to provide any other FQDNs and requestable URLs that are known to exhibit the same problem, aside from the one we have already presented?

No. My understanding is that this issue will affect any certificate issued by your CA in the 8 hours window. I don’t have such a list, and it’s not something I can research on your behalf.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi Quinn,

Thank you for the detailed and clear response.

We completely understand the restrictions around discussing future releases and the scope of your support. Your explanation regarding the potential for an OTA update was very helpful.

We have all the information we need for now and will proceed with the workaround by issuing a new certificate.

Thanks again for all your help.

Hi Quinn,

Just a quick follow-up to let you know that we have finally resolved the issue.

Following your advice, we initiated the process with our CA to issue a new certificate with an expiry date outside the problematic 8-hour window. It took us a while to get the new certificate fully deployed through our release process, but we can now confirm that everything is working as expected.

Your clear explanation and guidance were essential for us to resolve this tricky issue. Thank you again for your excellent support.

Best regards,