SSL Handshake Failure

We have an app on Apple App store, which allows group calling (Conferencing). The current app version on the App store does not have an SSL.

Our latest build which we are trying to release, we have implemented SSL. However, three out of five attempts fail at the SSL handshake.

We get an error that says "OSstatus Error: 9806".  May I know why the SSL handshake fails? 

Up vote post of ramyaankr Down vote post of ramyaankr
1.1k views
Posted by
ramyaankr
Reply
Add a Comment

Accepted Reply

Hi Eskimo,

Thanks for your response, you are right, we use TLS v1.2 and v1.3 and use CFStreamCreatePairWithSocketToHost() API function with read stream and write steam CFReadStreamRef and CFWriteStreamRef respectively. It is a mobile application that connects to the Apache server at the server end, our observations are as follows

  1. The handshake failure does not happen for every request, 50% of time it works but then
  2. For failed handshake, we get the OS status error: 9806
  3. The network connection is stable
  4. Have a valid SSL certificate 

It would be helpful, if you could guide us to troubleshoot the issue to resolve it.

Posted by
ramyaankr
Up vote reply of ramyaankr Down vote reply of ramyaankr
Post marked as solved
Add a Comment

Replies

we have implemented SSL.

I’m presuming you mean TLS here. For more about the terminology I use, see TLS for App Developers.

What API are you using for TLS? NWConnection? NSURLSession? Or something else?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi Eskimo,

Thanks for your response, you are right, we use TLS v1.2 and v1.3 and use CFStreamCreatePairWithSocketToHost() API function with read stream and write steam CFReadStreamRef and CFWriteStreamRef respectively. It is a mobile application that connects to the Apache server at the server end, our observations are as follows

  1. The handshake failure does not happen for every request, 50% of time it works but then
  2. For failed handshake, we get the OS status error: 9806
  3. The network connection is stable
  4. Have a valid SSL certificate 

It would be helpful, if you could guide us to troubleshoot the issue to resolve it.

Posted by
ramyaankr
Up vote reply of ramyaankr Down vote reply of ramyaankr
Post marked as solved
Add a Comment

we use … CFStreamCreatePairWithSocketToHost API

Hmmm, that’s not great. That API yields a CFSocketStream, and that’s been deprecated for a while now. It should still work, but you certainly won’t get all the latest TLS features.

I recommend that you plan on replacing this with NWConnection at some point in the future.

Having said that, this isn’t the cause of your main problem. You wrote:

50% of time it works

My experience is that our platforms are very ‘stable’ when it comes to TLS. That is, for any given server a TLS connection will work or it won’t. Intermittent problems like this are usually caused by issues on the server side. For example, I commonly see this when there’s a bunch of servers fronted by a redirector, and one of the servers is misconfigured.

Regardless, the path forward is clear: Use an RVI packet trace to see what’s happening on the ‘wire’. If, as I expect, you find that iOS behaves the same in both the failing and working cases, you can use that as evidence in your discussions with the folks who run the server.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment