Intermittent SSL Error
Question
getting an intermittent SSL error on iOS. I've turned off ATS, and we know this happens on OS versions < iOS9 as well
Error Domain=NSURLErrorDomain Code=1011 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9806 NSErrorFailingURLStringKey=, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x1471b600
from our crittercism logs, seems like some users are able to replicate this. but we have not been able to
Would you like to connect to the server anyway? <-- this makes me suspect that there was an authentication challenge. how can i verify that?
kCFStreamErrorCodeKey=-9806 <-- does anyone know what this error means?
Edit:
-9806 means errSSLClosedAbort http://www.opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/Security/SecureTransport.h
what can cause this? i don't think this is due to a spotty network because from our tracking tools, SSL connections to other hosts seem ok. and when a user hits this issue, it is re-produceable. seems to me like we need to inspect the failure with wireshark to get further information. but we have not been able to re-produce this. does anyone have ideas logging more information from apps in the wild to debug this?
2 answers
solution1
1 ACCPTED 2016-02-16 04:12:32
The server SSL certificate is failing the built-in certificate validation. It is up to you to decide how to handle this and present a correct remediation to the user. This can happen for many reasons.
SSL trust evaluation is described in detail in Technical Note 2232: SSL Trust Evaluation .
solution2
0 2016-02-15 21:21:56
I've had similar errors in a few scenarios:
- The server was getting accessed via https://www.domainname.com instead of https://domainname.com (note the "www.") in which case because of how I signed the cert was making it invalid. (I later found how to make the cert valid for both addresses and used the virtualHost and htaccess to always push to www.jeremiedaigle.com)
- I had a load bearing server which was improperly setup. One of the servers had the cert, the other didn't.
- Last, I have also encountered this issue when debugging and trying to use a self signed cert because I was using a proxy (CharlesProxy) middleman to debug my requests. the Middleman cert, in this case had to be trusted by the device. You can do this by sending the cert via email and opening it on the device.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.