Handshake failed, our iOS app is unusable

Question

millerkl9 OP

Created Dec ’17

Replies 3

Boosts 0

Views 5.8k

Participants 3

Our app is no longer able to connect to our API via HTTP, we get the following error:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

When testing our cert with ssllabs.com we get a handshake failure with Apple ATS 9 / iOS 9.

As far as we can tell, this problem started on Friday, our app has been live for a few months and this is the first time we've encountered this issue.

We are using a self-signed GeoTrust Global CA certificate, which is listed under the Trusted certificates here:

https://support.apple.com/en-us/HT208125

We had already planned on replacing the GeoTrust cert due to Chrome distrusting Symantec certs in the update in April, I wanted to make sure that replacing that cert would fix this issue as well.

Please help, our app is currently completely unusable until we resolve this.

Boost

Answer 1

KMT OP

Dec ’17

The fail involves testing on a device, not simulator, right?

When did the GTG CA cert. first go live on your system?

> HTTP load failed

Apple said this about that over a year ago:

"App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn’t follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app’sInfo.plist file."

'ASAP' may have come and gone.

0

Answer 2

DTS Engineer OP

Apple

Jan ’18

Error -9824 is

errSSLPeerHandshakeFail

, which can happen for many different reasons.

As far as we can tell, this problem started on Friday, our app has been live for a few months and this is the first time we've encountered this issue.

This is very likely to be a server configuration problem; this part of iOS does change frequently, but I can’t think of any iOS change that matches the timeframe you’re talking about.

I wanted to make sure that replacing that cert would fix this issue as well.

It’s hard to give such reassurances without knowing more about the problem.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 3

millerkl9 OP

Jan ’18

Replacing the SSL certificate fixed it, we had already planned on doing this to accomodate the changes to Chrome and it seems to connecting with no issues with the new certificate.

0