CFNetwork SSLHandshake failed (-9824)

Hi

I have been getting this error:

CFNetwork SSLHandshake failed (-9824)

This only seems happen when using 3G. Over wifi I have not been getting it. Even with 3g the initial requests are fine then it seems give up and starts throwing these errors.

I am using $http to do the requests and they are over ssl.

I have also allowed NSAllowsArbitraryLoads - not that I think this should make ay difference as it is over ssl already

Any help much appreciated

Thanks

Matthew

Not all SSL connections are the same. In OSX 10.11 you can run
/usr/bin/nscurl --ats-diagnostics [–verbose] URL
to test the connection to your server to diagnose.

yep - I have seen that - any options if not on el capitan yet?

See this post: Ios 9.0.1: $http requests to server that supports TLS v1.2 with valid certificate result in CFNetwork SSLHandshake failed

TLS1.2 and Forward Secrecy are needed. On https://ssllabs.com/ssltest you can diagnose your secure server connection.

Thanks for your help!

I think I have got this working now - need to do more testing but for reference my plist looks like this:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict/>
  <key>domain.com</key>
  <dict>
    <key>NSExceptionMinimumTLSVersion</key>
    <string>TLSv1.2</string>
    <key>NSExceptionRequiresForwardSecrecy</key>
    <true/>
  </dict>
</dict>

The other thing about this was it only really showed as a problem when using a mobile/cell connection. Over wifi i.e. via emulator it was fine.

BTW it easier to edit the plist via xcode than editing the raw xml!

Well, that might indicate data plan issues. No data connection over 3G, while data connection over wifi is working.
Or, which I think is more likely an access control list issue. Your server might be accessible from wifi and desktop/laptop (emulators) because they reside in the same (company) network, but is not from other IP ranges (mobile/cell).
They plist changes you made also indicate this, because these are the default settings (forwardsecrecy=true, minimumtls = 1.2) which can be omitted.

You’re absolutely right. Although when editing XML you can use ‘plutil’ to validate the syntax.

I found this yesterday too: https://forums.developer.apple.com/thread/13472 not sure it is still valid.

Also I’ll put this in for others you can use curl instead of nscurl to get similar information about your server e.g.

curl -v https://domain.com