We've enabled ATS restrictions in our app, and everything works fine, except sometimes, randomly, the CDN download resource fails.
In most cases, it happens to users who on iOS 14.* and WiFI (VPN helps solve the problem 🤔 )
Logs:
(ExampleClientErrorLogServlet) :: Client error: {"arguments":["test_resource","Caught Error Domain%3DNSURLErrorDomain Code%3D-1200 \"An SSL error has occurred and a secure connection to the server cannot be made.\" UserInfo%3D{NSErrorFailingURLStringKey%3Dhttps://my-url/reource.bin, NSLocalizedRecoverySuggestion%3DWould you like to connect to the server anyway?, _kCFStreamErrorDomainKey%3D3, _NSURLErrorFailingURLSessionTaskErrorKey%3DLocalDownloadTask <A50DCF0E-38F3-4454-A78A-B4552336561E>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey%3D(\n \"LocalDownloadTask <A50DCF0E-38F3-4454-A78A-B4552336561E>.<1>\"\n), NSLocalizedDescription%3DAn SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey%3Dhttps://my-url/reource.bin, NSUnderlyingError%3D0x2882e1050 {Error Domain%3DkCFErrorDomainCFNetwork Code%3D-1200 \"(null)\" UserInfo%3D{_kCFStreamPropertySSLClientCertificateState%3D0, _kCFNetworkCFStreamSSLErrorOriginalValue%3D-9816, _kCFStreamErrorDomainKey%3D3, _kCFStreamErrorCodeKey%3D-9816, _NSURLErrorNWPathKey%3Dsatisfied (Path is satisfied), viable, interface: en0, ipv4, dns}}, _kCFStreamErrorCodeKey%3D-9816}"],"format":"Downloading {} file failed: {}","platform":"ios","version":"2.87.1"}
26.07.2022 01:39:55 [DEBUG][9] :: platform: ios, version: 2.87.1. Downloading test_resource file failed: Caught Error Domain%3DNSURLErrorDomain Code%3D-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo%3D{NSErrorFailingURLStringKey%3Dhttps://my-url/reource.bin, NSLocalizedRecoverySuggestion%3DWould you like to connect to the server anyway?, _kCFStreamErrorDomainKey%3D3, _NSURLErrorFailingURLSessionTaskErrorKey%3DLocalDownloadTask <A50DCF0E-38F3-4454-A78A-B4552336561E>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey%3D(
), NSLocalizedDescription%3DAn SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey%3Dhttps://my-url/reource.bin, NSUnderlyingError%3D0x2882e1050 {Error Domain%3DkCFErrorDomainCFNetwork Code%3D-1200 "(null)" UserInfo%3D{_kCFStreamPropertySSLClientCertificateState%3D0, _kCFNetworkCFStreamSSLErrorOriginalValue%3D-9816, _kCFStreamErrorDomainKey%3D3, _kCFStreamErrorCodeKey%3D-9816, _NSURLErrorNWPathKey%3Dsatisfied (Path is satisfied), viable, interface: en0, ipv4, dns}}, _kCFStreamErrorCodeKey%3D-9816}
_kCFNetworkCFStreamSSLErrorOriginalValue=-9816
_kCFStreamErrorDomainKey=3
_kCFStreamErrorCodeKey=-9816
We've tried nscurl --ats-diagnostics on the URL:
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https:/url-path.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
==============================================================
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{}
Result : PASS
---
==============================================================
Allowing Arbitrary Loads
---
Allow All Loads
ATS Dictionary:
{
NSAllowsArbitraryLoads = true;
}
Result : PASS
---
================================================================================
Configuring TLS exceptions for url
---
TLSv1.3
ATS Dictionary:
{
NSExceptionDomains = {
"url" = {
NSExceptionMinimumTLSVersion = "TLSv1.3";
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=url, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <250D7C7A-A090-41F1-8FED-E73FCB511F41>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <250D7C7A-A090-41F1-8FED-E73FCB511F41>.<1>"
), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=url, NSUnderlyingError=0x6000021318f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9836, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9836, _NSURLErrorNWPathKey=satisfied (Path is satisfied), viable, interface: lo0}}, _kCFStreamErrorCodeKey=-9836}
---
======================================
nsurl --ats-diagnostic show me another error code -9836 and like I know TLSv1.3 not necessary yet
Maybe someone can give some suggestions, any help !! 🙏
Thx!
We solved the problem, it's some kind of problem in CDN. We implemented DNS resolver to check IP appress from user when error occure (SSL error). And we saw that ip address from CDN not the same as not what is expected for a certain region.
For example, user from Germany (just example) - has error with SSL connection when try to download our assets . We resolve DNS address from CDN url where SSL error occure. On user device resolved ip - 88.143.21.23 (for example), and real IP for this region different (54.22.123.54).
With this information we came to our CDN provider and they will fixed that from they side
