kCFStreamErrorDomainSSL, -9802 when connecting to a server by IP address through HTTPS in iOS 9

Question

We have an iOS app that connects to our server through HTTPS. When the app is built with the new iOS 9 SDK and ran under iOS 9, the following error occurs:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

The app uses AFNetworking 1.3.4 with pinned certs. The problem occurs if I connect to the server with its IP address. It works if I add the NSAllowsArbitraryLoads config, or if I connect to the server with its domain name.

The Tomcat connector is configured with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2".

I have tried overriding the host name but it doesn't seem to change anything.

I can't find much official documentation on ATS yet. Maybe connecting with IP address is not supposed to work?

Answer 1

iOS9 requires the server to only support TLSv1.2 and support perfect forward security.

Also required is for the app to support IPV6 including not using hard-coded IP addresses. Suggested is to use NSURLSession. Otherwise exception additions must be made in the app plist.

See the WWDC-15 session "Security and your Apps".

Also see Steven Peterson's Blog for details.

Answer 2

You can add this in your "Info.plist" file, it will allow non secured connections:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Answer 3

I found another stack overflow answer with a checklist of the exact new requirements on the server to full fill the iOS 9 default App Transport Security requirements: iOS 9 Security Server requirements Checklist

Hope that helps.

Answer 4

I got stuck on this one for a while and tried all the tricks in Info.plist but still had the error:

HTTP load failed (kCFStreamErrorDomainSSL, -9813)

when trying to connect to a localhost server in development.

Developing locally with a react native project connecting to an API served with a self signed certificate I had my system set to trust the certificate but it took me a while to realise that I also needed the IOS simulator to accept my cert as trusted to get past this error.

In the home screen of your simulator you should be able to drag the cert file into the simulator to prompt it to add the certificate profile. Or, if the certificate is accessible through a localhost url in the simulator's safari browser you may be able to accept it through safari.

Hope this helps someone as I went around in circles before it clicked for me!

Answer 5

Solution 1 :

If you’re looking for work around then use below approach :

1. Add NSAllowsArbitraryLoads key of type boolean with value true.

Your Info.plist file should look like this :

However, this approach is not recommended since it allows all unsecure connection.

Solution 2 :

The SSL certificate that you apply on Server should be of type TLSv2.0 minimum since iOS 10 requires this. Check this link for detail.

1. Add NSIncludesSubdomains key of type boolean with value true
2. Add NSTemporaryExceptionAllowsInsecureHTTPLoads key of type boolean with value true
3. Add NSTemporaryExceptionMinimumTLSVersion key of type String with value TLSv1.2

Your Info.plist file should look like this :