kCFStreamErrorDomainSSL, -9802 when connecting to a server by IP address through HTTPS in iOS 9

Asked 11/6, 2015 at 10:43 Answered 25/7, 2017 at 9:37

Solved ios iphone afnetworking ios9 app-transport-security

We have an iOS app that connects to our server through HTTPS. When the app is built with the new iOS 9 SDK and ran under iOS 9, the following error occurs:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

The app uses AFNetworking 1.3.4 with pinned certs. The problem occurs if I connect to the server with its IP address. It works if I add the NSAllowsArbitraryLoads config, or if I connect to the server with its domain name.

The Tomcat connector is configured with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2".

I have tried overriding the host name but it doesn't seem to change anything.

I can't find much official documentation on ATS yet. Maybe connecting with IP address is not supposed to work?

Outmaneuver answered 11/6, 2015 at 10:43 Comment(1)

possible duplicate of NSURLSession/NSURLConnection HTTP load failed – Picnic 15/6, 2015 at 11:19

iOS9 requires the server to only support TLSv1.2 and support perfect forward security.

Also required is for the app to support IPV6 including not using hard-coded IP addresses. Suggested is to use NSURLSession. Otherwise exception additions must be made in the app plist.

See the WWDC-15 session "Security and your Apps".

Also see Steven Peterson's Blog for details.

Trutko answered 11/6, 2015 at 11:13 Comment(6)

Great blog reference +1! – Semirigid 12/6, 2015 at 6:19

Definitely read that blog post. Toward the end he explains how to disable this and why you probably shouldn't. – Isoagglutinin 24/7, 2015 at 6:8

How about internal testing when you want to connect the app to a server on the internal network by IP (which does not have ssl)? – Moraceous 20/10, 2015 at 18:1

You have to white-list the ip. Or you could join those who support security and setup SSL. – Trutko 20/10, 2015 at 18:30

My server does support TLS 1.2. I have added an exception (including subdomains) to only bypass forward secrecy, and I still get this very error (kCFStreamErrorDomainSSL, -9802) – Reinhard 19/7, 2016 at 4:21

@NicolasMiari did you find a solution to this? On my iOS 9 test devices, it builds out and works, but on my iOS 10 device, I get the error you posted. I've tried everything that I have seen on SO (that I'm aware of) and nothing will allow the app to connect. I just load my splash screen and get the error you posted. – Adduce 16/12, 2016 at 14:24

You can add this in your "Info.plist" file, it will allow non secured connections:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Brunhilda answered 27/10, 2015 at 6:32 Comment(0)

I found another stack overflow answer with a checklist of the exact new requirements on the server to full fill the iOS 9 default App Transport Security requirements: iOS 9 Security Server requirements Checklist

Hope that helps.

Aubrey answered 20/8, 2015 at 10:25 Comment(0)

I got stuck on this one for a while and tried all the tricks in Info.plist but still had the error:

HTTP load failed (kCFStreamErrorDomainSSL, -9813)

when trying to connect to a localhost server in development.

Developing locally with a react native project connecting to an API served with a self signed certificate I had my system set to trust the certificate but it took me a while to realise that I also needed the IOS simulator to accept my cert as trusted to get past this error.

In the home screen of your simulator you should be able to drag the cert file into the simulator to prompt it to add the certificate profile. Or, if the certificate is accessible through a localhost url in the simulator's safari browser you may be able to accept it through safari.

Hope this helps someone as I went around in circles before it clicked for me!

Pitta answered 23/9, 2016 at 11:28 Comment(0)

Solution 1 :

If you’re looking for work around then use below approach :

Add NSAllowsArbitraryLoads key of type boolean with value true.

Your Info.plist file should look like this :

However, this approach is not recommended since it allows all unsecure connection.

Solution 2 :

The SSL certificate that you apply on Server should be of type TLSv2.0 minimum since iOS 10 requires this. Check this link for detail.

Add NSIncludesSubdomains key of type boolean with value true
Add NSTemporaryExceptionAllowsInsecureHTTPLoads key of type boolean with value true
Add NSTemporaryExceptionMinimumTLSVersion key of type String with value TLSv1.2

Your Info.plist file should look like this :

Rhythmical answered 25/7, 2017 at 9:37 Comment(0)

Recommended topics

Hot tags