1 Reply
      Latest reply: Dec 28, 2016 2:46 PM by eskimo RSS
      JimMatthews Level 1 Level 1 (0 points)

        I'm having a problem connecting to a server with a self-signed certificate using CFNetwork on 10.12. I can reproduce the problem with the TLS Tool sample code; setting its launch arguments to "s_client -connect mail.antennasys.net:990 -noverify" and running on 10.11.6 yields:

         

        *  input stream did open

        * output stream did open

        *  input stream has bytes

        * protocol: TLS 1.2

        * cipher: RSA_WITH_AES_256_GCM_SHA384

        * trust result: recoverable trust failure

        * certificate info:

        *   0 + n/a 2048 (null) 'mail.antennasys.net'

        220 ftp.antennasys.net X2 WS_FTP Server 7.6.2(64998024)

        * output stream has space

         

        On 10.12.2 I get:

         

        *  input stream did open

        * output stream did open

        2016-12-14 12:00:12.978490 TLSTool[1811:45353] CFNetwork SSLHandshake failed (-9807)

        * error NSOSStatusErrorDomain / -9807

        * bytes sent 0, bytes received 0

        Program ended with exit code: 1

         

        Is this a bug in 10.12, or is there something about this server and/or certificate that is no longer supported?


        Note: I've reported this as Radar 29663330

        • Re: SSLHandshake error -9807 on Sierra but not on Yosemite
          eskimo Apple Staff Apple Staff (6,470 points)

          I just tried this here in my office and it connected just fine:

          $ sw_vers
          ProductName:    Mac OS X
          ProductVersion: 10.12.2
          BuildVersion:  16C67
          $
          $ TLSTool s_client -connect mail.antennasys.net:990 -noverify
          *  input stream did open
          * output stream did open
          *  input stream has bytes
          * protocol: TLS 1.2
          * cipher: RSA_WITH_AES_256_GCM_SHA384
          * trust result: unspecified
          * certificate info:
          *  0 + rsaEncryption 2048 sha256-with-rsa-signature 'mail.antennasys.net'
          *  1 + rsaEncryption 2048 sha256-with-rsa-signature 'DigiCert SHA2 Secure Server CA'
          *  2 + rsaEncryption 2048 sha1-with-rsa-signature 'DigiCert Global Root CA'
          220 ftp.antennasys.net X2 WS_FTP Server 7.6.2(29141472)
          * output stream has space
          ^C
          

          It also works without the -noverify option.

          Is it possible that this server has been updated to fix the problem?  Or that the same DNS name connects to different servers depending on the location of the source?  I’m connecting from my home network; perhaps this is an Inter- vs intranet thing?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"