We've enabled ATS restrictions in our app, and everything works fine, except sometimes, randomly, the CDN download resource fails.
In most cases, it happens to users who on iOS 14.* and WiFI (VPN helps solve the problem :thinking_face:)
Logs:
(ExampleClientErrorLogServlet) :: Client error: {"arguments":["test_resource","Caught Error Domain%3DNSURLErrorDomain Code%3D-1200 \"An SSL error has occurred and a secure connection to the server cannot be made.\" UserInfo%3D{NSErrorFailingURLStringKey%3Dhttps://my-url/reource.bin, NSLocalizedRecoverySuggestion%3DWould you like to connect to the server anyway?, _kCFStreamErrorDomainKey%3D3, _NSURLErrorFailingURLSessionTaskErrorKey%3DLocalDownloadTask <A50DCF0E-38F3-4454-A78A-B4552336561E>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey%3D(\n \"LocalDownloadTask <A50DCF0E-38F3-4454-A78A-B4552336561E>.<1>\"\n), NSLocalizedDescription%3DAn SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey%3Dhttps://my-url/reource.bin, NSUnderlyingError%3D0x2882e1050 {Error Domain%3DkCFErrorDomainCFNetwork Code%3D-1200 \"(null)\" UserInfo%3D{_kCFStreamPropertySSLClientCertificateState%3D0, _kCFNetworkCFStreamSSLErrorOriginalValue%3D-9816, _kCFStreamErrorDomainKey%3D3, _kCFStreamErrorCodeKey%3D-9816, _NSURLErrorNWPathKey%3Dsatisfied (Path is satisfied), viable, interface: en0, ipv4, dns}}, _kCFStreamErrorCodeKey%3D-9816}"],"format":"Downloading {} file failed: {}","platform":"ios","version":"2.87.1"}
26.07.2022 01:39:55 [DEBUG][9] :: platform: ios, version: 2.87.1. Downloading test_resource file failed: Caught Error Domain%3DNSURLErrorDomain Code%3D-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo%3D{NSErrorFailingURLStringKey%3Dhttps://my-url/reource.bin, NSLocalizedRecoverySuggestion%3DWould you like to connect to the server anyway?, _kCFStreamErrorDomainKey%3D3, _NSURLErrorFailingURLSessionTaskErrorKey%3DLocalDownloadTask <A50DCF0E-38F3-4454-A78A-B4552336561E>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey%3D(
), NSLocalizedDescription%3DAn SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey%3Dhttps://my-url/reource.bin, NSUnderlyingError%3D0x2882e1050 {Error Domain%3DkCFErrorDomainCFNetwork Code%3D-1200 "(null)" UserInfo%3D{_kCFStreamPropertySSLClientCertificateState%3D0, _kCFNetworkCFStreamSSLErrorOriginalValue%3D-9816, _kCFStreamErrorDomainKey%3D3, _kCFStreamErrorCodeKey%3D-9816, _NSURLErrorNWPathKey%3Dsatisfied (Path is satisfied), viable, interface: en0, ipv4, dns}}, _kCFStreamErrorCodeKey%3D-9816}
_kCFNetworkCFStreamSSLErrorOriginalValue=-9816
_kCFStreamErrorDomainKey=3
_kCFStreamErrorCodeKey=-9816
We've tried nscurl --ats-diagnostics on the URL:
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https:/url-path.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
==============================================================
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{}
Result : PASS
---
==============================================================
Allowing Arbitrary Loads
---
Allow All Loads
ATS Dictionary:
{
NSAllowsArbitraryLoads = true;
}
Result : PASS
---
================================================================================
Configuring TLS exceptions for url
---
TLSv1.3
ATS Dictionary:
{
NSExceptionDomains = {
"url" = {
NSExceptionMinimumTLSVersion = "TLSv1.3";
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=url, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <250D7C7A-A090-41F1-8FED-E73FCB511F41>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <250D7C7A-A090-41F1-8FED-E73FCB511F41>.<1>"
), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=url, NSUnderlyingError=0x6000021318f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9836, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9836, _NSURLErrorNWPathKey=satisfied (Path is satisfied), viable, interface: lo0}}, _kCFStreamErrorCodeKey=-9836}
---
======================================
nsurl --ats-diagnostic show me another error code -9836 and like I know TLSv1.3 not necessary yet
Maybe someone can give some suggestions, any help !! :pray:
Thx!