Getting "Caught Error Domain NSURLErrorDomain Code=-1200 \"An SSL error has occurred and a secure connection to the server cannot be made."?

We've enabled ATS restrictions in our app, and everything works fine, except sometimes, randomly, the CDN download resource fails.

In most cases, it happens to users who on iOS 14.* and WiFI (VPN helps solve the problem 🤔 )

Logs:

(ExampleClientErrorLogServlet) :: Client error: {"arguments":["test_resource","Caught Error Domain%3DNSURLErrorDomain Code%3D-1200 \"An SSL error has occurred and a secure connection to the server cannot be made.\" UserInfo%3D{NSErrorFailingURLStringKey%3Dhttps://my-url/reource.bin, NSLocalizedRecoverySuggestion%3DWould you like to connect to the server anyway?, _kCFStreamErrorDomainKey%3D3, _NSURLErrorFailingURLSessionTaskErrorKey%3DLocalDownloadTask <A50DCF0E-38F3-4454-A78A-B4552336561E>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey%3D(\n    \"LocalDownloadTask <A50DCF0E-38F3-4454-A78A-B4552336561E>.<1>\"\n), NSLocalizedDescription%3DAn SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey%3Dhttps://my-url/reource.bin, NSUnderlyingError%3D0x2882e1050 {Error Domain%3DkCFErrorDomainCFNetwork Code%3D-1200 \"(null)\" UserInfo%3D{_kCFStreamPropertySSLClientCertificateState%3D0, _kCFNetworkCFStreamSSLErrorOriginalValue%3D-9816, _kCFStreamErrorDomainKey%3D3, _kCFStreamErrorCodeKey%3D-9816, _NSURLErrorNWPathKey%3Dsatisfied (Path is satisfied), viable, interface: en0, ipv4, dns}}, _kCFStreamErrorCodeKey%3D-9816}"],"format":"Downloading {} file failed: {}","platform":"ios","version":"2.87.1"}

26.07.2022 01:39:55 [DEBUG][9] :: platform: ios, version: 2.87.1. Downloading test_resource file failed: Caught Error Domain%3DNSURLErrorDomain Code%3D-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo%3D{NSErrorFailingURLStringKey%3Dhttps://my-url/reource.bin, NSLocalizedRecoverySuggestion%3DWould you like to connect to the server anyway?, _kCFStreamErrorDomainKey%3D3, _NSURLErrorFailingURLSessionTaskErrorKey%3DLocalDownloadTask <A50DCF0E-38F3-4454-A78A-B4552336561E>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey%3D(
), NSLocalizedDescription%3DAn SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey%3Dhttps://my-url/reource.bin, NSUnderlyingError%3D0x2882e1050 {Error Domain%3DkCFErrorDomainCFNetwork Code%3D-1200 "(null)" UserInfo%3D{_kCFStreamPropertySSLClientCertificateState%3D0, _kCFNetworkCFStreamSSLErrorOriginalValue%3D-9816, _kCFStreamErrorDomainKey%3D3, _kCFStreamErrorCodeKey%3D-9816, _NSURLErrorNWPathKey%3Dsatisfied (Path is satisfied), viable, interface: en0, ipv4, dns}}, _kCFStreamErrorCodeKey%3D-9816}

_kCFNetworkCFStreamSSLErrorOriginalValue=-9816

_kCFStreamErrorDomainKey=3

_kCFStreamErrorCodeKey=-9816

We've tried nscurl --ats-diagnostics on the URL:

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https:/url-path.

A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.

==============================================================
Default ATS Secure Connection

---

ATS Default Connection

ATS Dictionary:

{}

Result : PASS
---

==============================================================

Allowing Arbitrary Loads

---

Allow All Loads

ATS Dictionary:

{

    NSAllowsArbitraryLoads = true;

}

Result : PASS
---

================================================================================



Configuring TLS exceptions for url
---

TLSv1.3

ATS Dictionary:

{

    NSExceptionDomains =     {

        "url" =         {

            NSExceptionMinimumTLSVersion = "TLSv1.3";

        };

    };

}

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=url, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <250D7C7A-A090-41F1-8FED-E73FCB511F41>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(

    "LocalDataTask <250D7C7A-A090-41F1-8FED-E73FCB511F41>.<1>"

), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=url, NSUnderlyingError=0x6000021318f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9836, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9836, _NSURLErrorNWPathKey=satisfied (Path is satisfied), viable, interface: lo0}}, _kCFStreamErrorCodeKey=-9836}

---
======================================

nsurl --ats-diagnostic show me another error code -9836 and like I know TLSv1.3 not necessary yet

Maybe someone can give some suggestions, any help !! 🙏

Thx!

Up vote post of 1semeDev Down vote post of 1semeDev
2.2k views
Posted by
1semeDev
Reply
Add a Comment

Accepted Reply

We solved the problem, it's some kind of problem in CDN. We implemented DNS resolver to check IP appress from user when error occure (SSL error). And we saw that ip address from CDN not the same as not what is expected for a certain region.

For example, user from Germany (just example) - has error with SSL connection when try to download our assets . We resolve DNS address from CDN url where SSL error occure. On user device resolved ip - 88.143.21.23 (for example), and real IP for this region different (54.22.123.54).

With this information we came to our CDN provider and they will fixed that from they side

Posted by
1semeDev
Up vote reply of 1semeDev Down vote reply of 1semeDev
Post marked as solved
Add a Comment

Replies

Usually when you run into random TLS errors that are intermittent then this is an indication that you are talking to a server that you did not expect to. In this case, that would be the first step in debugging something like this, make sure you are talking to the correct server. Next, if all of that checks out, make sure that the client is able to validate the Certificate that the peer is sending it. If this certificate is derived from a self signed root then make sure that you are able to handle this correctly by following these steps in this article for Creating an Identity for Local Network TLS. Lastly, if none of the above are the case then take a look to make sure that the leaf certificate that you are using on the peer supports TLS 1.3 and all of Apple's latest Certificate Transparency policies.

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

We solved the problem, it's some kind of problem in CDN. We implemented DNS resolver to check IP appress from user when error occure (SSL error). And we saw that ip address from CDN not the same as not what is expected for a certain region.

For example, user from Germany (just example) - has error with SSL connection when try to download our assets . We resolve DNS address from CDN url where SSL error occure. On user device resolved ip - 88.143.21.23 (for example), and real IP for this region different (54.22.123.54).

With this information we came to our CDN provider and they will fixed that from they side

Posted by
1semeDev
Up vote reply of 1semeDev Down vote reply of 1semeDev
Post marked as solved
Add a Comment