7

getting an intermittent SSL error on iOS. I've turned off ATS, and we know this happens on OS versions < iOS9 as well

Error Domain=NSURLErrorDomain Code=1011 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9806 NSErrorFailingURLStringKey=, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x1471b600

from our crittercism logs, seems like some users are able to replicate this. but we have not been able to

Would you like to connect to the server anyway?<-- this makes me suspect that there was an authentication challenge. how can i verify that?

kCFStreamErrorCodeKey=-9806 <-- does anyone know what this error means?

Edit:

-9806 means errSSLClosedAbort http://www.opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/Security/SecureTransport.h

what can cause this? i don't think this is due to a spotty network because from our tracking tools, SSL connections to other hosts seem ok. and when a user hits this issue, it is re-produceable. seems to me like we need to inspect the failure with wireshark to get further information. but we have not been able to re-produce this. does anyone have ideas logging more information from apps in the wild to debug this?

asked Feb 10, 2016 at 3:25
8
  • are you sure the certificate is valid and not a self signed cert? Commented Feb 10, 2016 at 13:26
  • yes, we've inspected the certificates. i have to mention that this is reproducible by some of our users in the wild. but we can't reproduce it ourselves :/ Commented Feb 10, 2016 at 17:04
  • do you have multiple servers serving the request? Commented Feb 15, 2016 at 16:47
  • can you provide the server name so we can try to hit it and look at the cert ourselves? Commented Feb 15, 2016 at 21:23
  • @allen yes, there are 3, and all 3 server certs have been set up correctly. Commented Feb 16, 2016 at 6:25

2 Answers 2

2
+100

The server SSL certificate is failing the built-in certificate validation. It is up to you to decide how to handle this and present a correct remediation to the user. This can happen for many reasons.

SSL trust evaluation is described in detail in Technical Note 2232: SSL Trust Evaluation.

answered Feb 16, 2016 at 4:12
Sign up to request clarification or add additional context in comments.

1 Comment

We did this command nscurl --ats-diagnostics https://filename.hostname.net --verbose as per this [post]( stackoverflow.com/questions/36331623/…) & every case got passed but we are still facing this Intermittent SSL Error. Any thoughts?
0

I've had similar errors in a few scenarios:

  • The server was getting accessed via https://www.domainname.com instead of https://domainname.com (note the "www.") in which case because of how I signed the cert was making it invalid. (I later found how to make the cert valid for both addresses and used the virtualHost and htaccess to always push to www.jeremiedaigle.com)
  • I had a load bearing server which was improperly setup. One of the servers had the cert, the other didn't.
  • Last, I have also encountered this issue when debugging and trying to use a self signed cert because I was using a proxy (CharlesProxy) middleman to debug my requests. the Middleman cert, in this case had to be trusted by the device. You can do this by sending the cert via email and opening it on the device.
answered Feb 15, 2016 at 21:21

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.