'An SSL error has occurred and a secure connection to the server cannot be made' with verified certificate

Question

I get the following error message (which is identical every try)

2016-07-20 20:09:28.013 MyApp[1140:374263] CFNetwork SSLHandshake failed (-9806) 2016-07-20 20:09:28.014 MyApp[1140:374263] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806) error=Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x154dda750 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://example.com:8080/api/login, NSErrorFailingURLStringKey=https://example.com:8080/api/login, _kCFStreamErrorDomainKey=3})

The certificate is a validated one provided by letsencrypt. I have tested my web server configuration over and over, and everything seems to be like it should.

Running the command openssl s_client -connect example.com:8080/api/login -tls1_2 gives all the expected results:

-It verifies the authority as DST Root CA X3, which is included in Apples root CA list

-The return is code is Verify return code: 0 (ok)

I have also run several ssl diagnostic tool websites such as digicert, which has given no error results.

---

I can load the domain from Safari ON the iOS device, as well as chrome from my computer without having to accept "untrusted certificates".

Any suggestions?

Answer 1

In case anyone encounter something the same problem, ill answer my own question. At the time of the question, Let's Encrypt (the CA of the certificate used) did not support forward secrecy for their https certificates (atleast not the one I got). Apple by default required this in the iOS version used at that time (I believe it was around 9.5, but I might be mistaken here).

To get around the requirement of forward secrecy, this can be specified in the Info.plist under domain exceptions.

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>example.com</key>
    <dict>
      <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
      <false/>
    </dict>
  </dict>
</dict>

Sometime along the road, they changed this to default land on false. I am not sure when this was, but after iOS 10.0 it was never a problem.