CFNetwork SSLHandshake failed (-9824)

matpol · October 13, 2015, 5:17pm

Hi

I have been getting this error:

This only seems happen when using 3G. Over wifi I have not been getting it. Even with 3g the initial requests are fine then it seems give up and starts throwing these errors.

I am using $http to do the requests and they are over ssl.

I have also allowed NSAllowsArbitraryLoads - not that I think this should make ay difference as it is over ssl already

Any help much appreciated

Thanks

Matthew

tomkuipers · October 13, 2015, 9:37pm

Not all SSL connections are the same. In OSX 10.11 you can run
/usr/bin/nscurl --ats-diagnostics [–verbose] URL
to test the connection to your server to diagnose.

matpol · October 14, 2015, 7:07am

yep - I have seen that - any options if not on el capitan yet?

tomkuipers · October 14, 2015, 7:20am

See this post: Ios 9.0.1: $http requests to server that supports TLS v1.2 with valid certificate result in CFNetwork SSLHandshake failed

TLS1.2 and Forward Secrecy are needed. On https://ssllabs.com/ssltest you can diagnose your secure server connection.

matpol · October 14, 2015, 9:53am

Thanks for your help!

I think I have got this working now - need to do more testing but for reference my plist looks like this:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict/>
  <key>domain.com</key>
  <dict>
    <key>NSExceptionMinimumTLSVersion</key>
    <string>TLSv1.2</string>
    <key>NSExceptionRequiresForwardSecrecy</key>
    <true/>
  </dict>
</dict>

The other thing about this was it only really showed as a problem when using a mobile/cell connection. Over wifi i.e. via emulator it was fine.

BTW it easier to edit the plist via xcode than editing the raw xml!

tomkuipers · October 14, 2015, 11:14am

Well, that might indicate data plan issues. No data connection over 3G, while data connection over wifi is working.
Or, which I think is more likely an access control list issue. Your server might be accessible from wifi and desktop/laptop (emulators) because they reside in the same (company) network, but is not from other IP ranges (mobile/cell).
They plist changes you made also indicate this, because these are the default settings (forwardsecrecy=true, minimumtls = 1.2) which can be omitted.

You’re absolutely right. Although when editing XML you can use ‘plutil’ to validate the syntax.

matpol · October 15, 2015, 7:17am

I found this yesterday too: https://forums.developer.apple.com/thread/13472 not sure it is still valid.

Also I’ll put this in for others you can use curl instead of nscurl to get similar information about your server e.g.

curl -v https://domain.com