How to track down cause of SSL Errors - NSURLErrorDomain Code=-1200

I've noticed that our apps get these errors with some regular occurrence:

Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made.

I suspect the issue may be because of misconfigured VPNs. But is there any way to get more details about the cause of these SSL failures? If it's an issue with certificate validation or something, it would be great to get the certificate seen at the time of the error as sometimes a simple retry ends up working.

I'm not doing anything particularly special network-wise... using standard URLSession with the default configuration. I have tried implementing URLSessionDelegate.urlSession(:didBecomeInvalidWithError:) and URLSessionDelegate.urlSession(:didReceive:completionHandler:) to see if I could get more details, but nothing.

Up vote post of danny_int Down vote post of danny_int
390 views
Posted by
danny_int
Reply
Add a Comment

Replies

If you connect to the site with Safari, does that work?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

These are REST endpoints requiring authorization headers, so it's hard to test in Safari. But my main question was whether there's something I can do programmatically in my apps to be able to capture more details when the app encounters SSL errors like this. I just found other posts that lead me to URLError, which I think has the details I'm looking for.

In my own testing, I've seen these errors:

_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9816, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9816, _NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11]}}, _kCFStreamErrorCodeKey=-9816

Not sure if this is the only error. But this suggests the server is closing the connection. So now I just have to find out if the server ever actually got the connection request...

Posted by
danny_int
Up vote reply of danny_int Down vote reply of danny_int
Add a Comment

But my main question was whether there's something I can do programmatically in my apps to be able to capture more details when the app encounters SSL errors like this.

Capturing the full error is always useful. In most cases there will be an underlying -98xx error with more details. In the example you posted that’s -9816, or errSSLClosedNoNotify, indicating that the TCP connection closed without getting an appropriate TLS ‘close notify’ alert from the server. Sadly, that isn’t as helpful as it sounds because it’s common to see that error when your connection is blocked by policy.

Are you see this errors consistently? Or intermittently? iOS tends to be pretty consistent in this regard, so my experience is that intermittent errors are usually caused by problems on the server side. Gathering enough evidence is convince your server team to investigate that can be a challenge though (-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment