OK, that is a great next step. FWIW I did find this great page on App Transport Security
https://useyourloaf.com/blog/app-transport-security
that talked about ATS and showed me nscurl and curl, which provides proof (I think) that it is not ATS related - seems like it starts pulling down data.
The only other interesting data point is Safari on IOS will return data from the page, but not through the app. So perhaps the response is malformed. Here's what comes through on Mac OS X 10.15... and I'll post the diagnostics as soon as I can.
% curl -v https://[CUSTOM_DOMAIN_FOR_AWS_API_GATEWAY]/v1/query1 10:29:49
* Trying 13.225.62.80...
* TCP_NODELAY set
* Connected to [CUSTOM_DOMAIN_FOR_AWS_API_GATEWAY] (13.225.62.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=[CUSTOM_DOMAIN_FOR_AWS_API_GATEWAY]
* start date: Dec 5 00:00:00 2019 GMT
* expire date: Jan 5 12:00:00 2021 GMT
* subjectAltName: host "[CUSTOM_DOMAIN_FOR_AWS_API_GATEWAY]" matched cert's "[CUSTOM_DOMAIN_FOR_AWS_API_GATEWAY]"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fab7d800000)
> GET /v1/query1 HTTP/2
> Host: [CUSTOM_DOMAIN_FOR_AWS_API_GATEWAY]
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< content-type: application/json
< content-length: 209277
< date: Thu, 05 Dec 2019 15:43:10 GMT
< x-amzn-requestid: 2c194c6c-56c5-4cf3-8428-01fc5071f404
< x-amz-apigw-id: EPLORHrfIAMFchg=
< x-amzn-trace-id: Root=1-5de9258e-08bf00449ae065c895fb60d8;Sampled=0
< x-cache: Miss from cloudfront
< via: 1.1 c9fc8eca0b2b3a083a77fd1cf662c1a9.cloudfront.net (CloudFront)
< x-amz-cf-pop: EWR53-C1
< x-amz-cf-id: o5emzx5iB7k9ioxa10nqGnnw0l-V78LKmv7p4bUWskd75uDJe4W4cg==
<
{"contents": [{"un_code": 44, "iso3": [lots more data here...]