如何找出我的SSL设置有什么问题？

Question

I have a Windows server, with the proper SSL trust chain. On this server runs a nodejs signaling server for my voip app. I used to run the nodejs server on CentOS, but it was migrated to windows not too long ago. I had disabled SSL in the app for the time being, but now that I enable it again I can't connect with the message "CFNetwork SSLHandshake failed (-9824)".

I understand nobody can help me with finding out what's wrong, but I expected a more descriptive message from apple. 9824 Just means "handshake failed" and the device logs reveal nothing special. I added:

setenv("CFNETWORK_DIAGNOSTICS", "3", 1);

And checked the logs that it produced, but it only told me that the handshake failed :/ I tried adding

CFReadStreamSetProperty(readStream, kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse);
CFWriteStreamSetProperty(writeStream, kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse);

to the socket initialization to see if that allowed me to connect, but it didn't. I also added that weird info.plist snippet to allow TLS1.0 instead of TLS1.2 on iOS9, but even that didn't change anything.

So my question: How the hell do I get enough information to start debugging this mess? I get that the handshake failed, Apple, but I'd like to know WHY it failed...

Edit: sorry for bad formatting, I'm in a hurry :)

Here is my socket init code:

APP.onlineUsers = [[NSMutableArray alloc] init];

self.didOpenInputStream = NO;
self.didOpenOutputStream = NO;

self.messageQueue = [[NSMutableArray alloc] init];

CFReadStreamRef readStream;
CFWriteStreamRef writeStream;

NSInputStream* inputStream;
NSOutputStream* outputStream;

CFStreamCreatePairWithSocketToHost(NULL, (__bridge CFStringRef)serverUrl, (uint)serverPort, &readStream, &writeStream);

CFReadStreamSetProperty(readStream, kCFStreamPropertyShouldCloseNativeSocket, kCFBooleanTrue);
CFWriteStreamSetProperty(writeStream, kCFStreamPropertyShouldCloseNativeSocket, kCFBooleanTrue);

CFReadStreamSetProperty(readStream, kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse);//tried without this as well
CFWriteStreamSetProperty(writeStream, kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse);//tried without this as well

CFReadStreamSetProperty(readStream, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelSSLv3);//tried v2 this as well
CFWriteStreamSetProperty(writeStream, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelSSLv3);//tried v2 this as well

inputStream = (__bridge_transfer NSInputStream*)readStream;
outputStream = (__bridge_transfer NSOutputStream*)writeStream;

[inputStream setProperty:NSStreamNetworkServiceTypeVoIP forKey:NSStreamNetworkServiceType];

[inputStream setDelegate:self];
[outputStream setDelegate:self];

self.runLoop = [NSRunLoop currentRunLoop];

[inputStream scheduleInRunLoop:self.runLoop forMode:NSDefaultRunLoopMode];
[outputStream scheduleInRunLoop:self.runLoop forMode:NSDefaultRunLoopMode];

[inputStream open];
[outputStream open];

self.inputStream = inputStream;
self.outputStream = outputStream;

Answer 1

Most likely the problem is that your server is not "ATS compliant". ATS brings enforced security to the device starting with iOS 9 resp. OS X 10.11. Especially you need

• TLS 1.2 on server side,
• a certificate not encrypted with SHA (without 2).

If your server does not fulfill this requirements you can turn ATS off for this server as described here .