Causes of Communication Failure with Server

I would like to determine why communication with the server is failing. The following situation.

・An SSL error occurs when communicating with the server.

ATS failed system trust
Connection 13: system TLS Trust evaluation failed(-9802)
Connection 13: TLS Trust encountered error 3:-9802
Connection 13: encountered error(3:-9802)
nw_connection_copy_connected_local_endpoint_block_invoke [C14] Client called nw_connection_copy_connected_local_endpoint on unconnected nw_connection
nw_connection_copy_connected_remote_endpoint_block_invoke [C14] Client called nw_connection_copy_connected_remote_endpoint on unconnected nw_connection
nw_connection_copy_protocol_metadata_internal_block_invoke [C14] Client called nw_connection_copy_protocol_metadata_internal on unconnected nw_connection
Task <07B896CB-44B4-44BC-87B4-EB786D5B25DA>.<10> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802])
Task <07B896CB-44B4-44BC-87B4-EB786D5B25DA>.<10> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "SSLエラーが起きたため、サーバへのセキュリティ保護された接続を確立できません。" UserInfo={NSLocalizedRecoverySuggestion=それでもサーバに接続しますか?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x1091bca00) s: Default Company Ltd i: Default Company Ltd>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://xxxx, NSErrorFailingURLStringKey=https://xxxx, NSUnderlyingError=0x2838e96e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x28073aa80>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x1091bca00) s: Default Company Ltd i: Default Company Ltd>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <07B896CB-44B4-44BC-87B4-EB786D5B25DA>.<10>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <07B896CB-44B4-44BC-87B4-EB786D5B25DA>.<10>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x28073aa80>, NSLocalizedDescription=SSLエラーが起きたため、サーバへのセキュリティ保護された接続を確立できません。}

・I checked that server for ATS (App Transport Security) support with the nscurl command and found that it supported it without any problems.

・The error content changes when an ATS exception is handled by the iOS client.

Connection 35: default TLS Trust evaluation failed(-9807)
Connection 35: TLS Trust encountered error 3:-9807
Connection 35: encountered error(3:-9807)
nw_connection_copy_connected_local_endpoint_block_invoke [C36] Client called nw_connection_copy_connected_local_endpoint on unconnected nw_connection
nw_connection_copy_connected_remote_endpoint_block_invoke [C36] Client called nw_connection_copy_connected_remote_endpoint on unconnected nw_connection
nw_connection_copy_protocol_metadata_internal_block_invoke [C36] Client called nw_connection_copy_protocol_metadata_internal on unconnected nw_connection
Task <882E38EE-4E0D-4428-A4BE-709BB8448530>.<34> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9807])
Task <882E38EE-4E0D-4428-A4BE-709BB8448530>.<34> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "このサーバの証明書は無効です。"xxxx"に偽装したサーバに接続している可能性があり、機密情報が漏えいするおそれがあります。" UserInfo={NSLocalizedRecoverySuggestion=それでもサーバに接続しますか?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x14c2e9000) s: Default Company Ltd i: Default Company Ltd>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://xxxx, NSErrorFailingURLStringKey=https://xxxx, NSUnderlyingError=0x281d86310 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x2823f7200>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x14c2e9000) s: Default Company Ltd i: Default Company Ltd>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <882E38EE-4E0D-4428-A4BE-709BB8448530>.<34>"
), _kCFStreamErrorCodeKey=-9807, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <882E38EE-4E0D-4428-A4BE-709BB8448530>.<34>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x2823f7200>, NSLocalizedDescription=このサーバの証明書は無効です。"xxxx"に偽装したサーバに接続している可能性があり、機密情報が漏えいするおそれがあります。}

・Client can communicate normally when client is not iOS (also Safari)

・Even on iOS, after many failed attempts, the communication suddenly succeeds (after success, the session cache is consulted).

The server appears to be fine, but that said, iOS is failing to communicate. What are possible cases like this?

Is your server available on the public Internet? If so, please post its DNS name here.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi.

I am having the same problem:

2024-05-09 12:12:50.145234+0200 Agenda configurador[4481:105138] Connection 3: default TLS Trust evaluation failed(-9807)

2024-05-09 12:12:50.145507+0200 Agenda configurador[4481:105138] Connection 3: TLS Trust encountered error 3:-9807

2024-05-09 12:12:50.145647+0200 Agenda configurador[4481:105138] Connection 3: encountered error(3:-9807)

2024-05-09 12:12:50.146730+0200 Agenda configurador[4481:105138] Task <45D65655-1337-4AEB-AF8B-66BB0158FCF6>.<0> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9807])

2024-05-09 12:12:50.146863+0200 Agenda configurador[4481:105139] NSURLConnection finished with error - code -1202

The server the app is connecting is: https://agenda.juntadeandalucia.es/

AFAICT this isn’t the same problem. It has the same top-level error, -1200 or NSURLErrorSecureConnectionFailed, but that’s very generic. The low-level error is different:

  • In hideaki0101’s case that’s -9802, or errSSLFatalAlert.

  • In your case it seems to be -9807, or errSSLXCertChainInvalid:

% nscurl https://agenda.juntadeandalucia.es
… -9807 …

Rather thanh hijack hideaki0101’s thread, I’d appreciate you starting a new thread for your problem. Tag it with Foundation, CFNetwork, and Security so that I see it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Causes of Communication Failure with Server
 
 
Q