ChrisStillwell February 2016

NSURLSession Fails With SSL Page Using TLS 1.2

I'm using NSULConnection to send data to a webservice over SSL. The server is signed with a wildcard certificate (*.mydomain.com). The certificate is using RES SHA256 and TLS 1.2 and is signed by a CA. I'm trying to send my data using the following code:

NSMutableURLRequest *req = [[NSMutableURLRequest alloc] init];
[req setTimeoutInterval:60];
[req setHTTPMethod:@"POST"];
// ... Set content type and add data to body ... //

[req setURL:@"https://subdomain.mydomain.com/service/"];
NSURLSession *session = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration defaultSessionConfiguration]];
NSLog(@"Starting Upload");
NSURLSessionDataTask *task = [session dataTaskWithRequest:req
                                        completionHandler:^(NSData *data, NSURLResponse *response, NSError *error){
    // .. Handle Completion .. //
}];

[task resume];

When I run the above code I get the following output.

CFNetwork SSLHandshake failed (-9801) 
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

So, I tried adding the exceptions explained in this post: CFNetwork SSLHandshake failed iOS 9

But had no luck in getting the error to resolve itself. I then switched to using http instead of https, while leaving in the configuration changes explained above and it did work. However, that is far from an ideal solution. The http is fine for testing, but this app will be handling data where SSL is required. How can I get the SSL working?

Edit

Here are the results of running nscurl --ats-diagnostics on the https version of my service url

================================================================================

Default ATS Secure Connection
---
ATS Default Connection
Result : PAS        

Answers


Vejja February 2016

Verify return code: 20 (unable to get local issuer certificate)

It looks like the DigiCert Root CA is not properly loaded on your local machine. Open the KeyChain Access App, and check if it is either in the Login or System Roots section.


Matthes February 2016

This answer saved my day! Turns out that ATS requires that server must support ciphers listed in cipher suite here. I can confirm that suggested fix works.

Post Status

Asked in February 2016
Viewed 1,881 times
Voted 5
Answered 2 times

Search




Leave an answer