What is the reason for NSURLSession Trust evaluation fail

Question

yangyang_2020 OP

Created Jul ’24

Replies 1

Boosts 0

Participants 2

Hi All:
Our use NSURLSession dataTaskWithRequest to connect our https server, However, in one macOS, sometimes, we encounter these error when TLS handshake.

default	2024-06-24 17:52:03.054447 +0900	test-app	boringssl_context_info_handler(2069) [C1209.1.1:2][0x7f9067117b10] Client handshake state: TLS client read_server_certificate
info	2024-06-24 17:52:03.054462 +0900	test-app	boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
info	2024-06-24 17:52:03.054552 +0900	test-app	boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
info	2024-06-24 17:52:03.054557 +0900	test-app	boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
info	2024-06-24 17:52:03.054590 +0900	test-app	boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
default	2024-06-24 17:52:03.054769 +0900	test-app	boringssl_context_info_handler(2069) [C1209.1.1:2][0x7f9067117b10] Client handshake state: TLS client read_certificate_status
default	2024-06-24 17:52:03.054773 +0900	test-app	boringssl_context_info_handler(2069) [C1209.1.1:2][0x7f9067117b10] Client handshake state: TLS client verify_server_certificate
default	2024-06-24 17:52:03.055123 +0900	test-app	boringssl_context_evaluate_trust_async(1635) [C1209.1.1:2][0x7f9067117b10] Performing external trust evaluation
default	2024-06-24 17:52:03.055308 +0900	test-app	boringssl_context_evaluate_trust_async_external(1620) [C1209.1.1:2][0x7f9067117b10] Asyncing for external verify block
info	2024-06-24 17:52:03.055316 +0900	test-app	boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: certificate evaluation result pending [16]
default	2024-06-24 17:52:03.055466 +0900	test-app	Connection 1209: asked to evaluate TLS Trust
default	2024-06-24 17:52:03.056082 +0900	test-app	Task <407E11A6-12E8-4818-82B4-BC5B4909130F>.<1405> auth completion disp=1 cred=0x0
default	2024-06-24 17:52:03.064388 +0900	test-app	Trust evaluate failure: [leaf SSLHostname TemporalValidity]
default	2024-06-24 17:52:03.064390 +0900	test-app	System Trust Evaluation yielded status(-9802)
error	2024-06-24 17:52:03.064392 +0900	test-app	ATS failed system trust
error	2024-06-24 17:52:03.064393 +0900	test-app	Connection 1209: system TLS Trust evaluation failed(-9802)
default	2024-06-24 17:52:03.064393 +0900	test-app	Connection 1209: TLS Trust result -9802
error	2024-06-24 17:52:03.064395 +0900	test-app	Connection 1209: TLS Trust encountered error 3:-9802
error	2024-06-24 17:52:03.064397 +0900	test-app	Connection 1209: encountered error(3:-9802)
default	2024-06-24 17:52:03.064400 +0900	test-app	Connection 1209: cleaning up
default	2024-06-24 17:52:03.064404 +0900	test-app	Connection 1209: summary for unused connection {protocol="(null)", domain_lookup_duration_ms=0, connect_duration_ms=0, secure_connection_duration_ms=0, private_relay=false, idle_duration_ms=0}
default	2024-06-24 17:52:03.064438 +0900	test-app	[C1209 63DEF1F8-AC5F-4285-B32B-D3AE707C513A Hostname#229f20b3:443 tcp, url hash: 693c58e9, tls, definite, attribution: developer] cancel

I found TLS Trust evaluation failed(-9802) this error.

I checked server's certificate, it is ok.
On this macOS, this issue happens sometimes, not always.

Thanks for your feedback.

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’24

Error -9802 is errSSLFatalAlert. That isn’t super helpful because it can be the result of either a server- or client-side problem. OTOH, this is interesting:

Trust evaluate failure: [leaf SSLHostname TemporalValidity]

This indicates two problems with the leaf certificate:

SSLHostname indicates that either that the certificate didn’t contain a Subject Alternative Name extension or that the value there didn’t match the host you connected to.
TemporalValidity indicates that the certificate’s valid date range doesn’t include the current time.

On this macOS, this issue happens sometimes, not always.

In my experience issues like this are usually caused by server-side problems. For example, if you have a group of servers behind a redirector, one of those servers may be having a problem. Or you might have encountered a bug in the redirector itself.

The best way to investigate this is to record a packet trace to see exactly what certificate is being returned to the client by the server. I expect that you’ll find that, when you see this failure, the server has returned the wrong certificate.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0