SSLHandshake error -9807 on Sierra but not on Yosemite

I'm having a problem connecting to a server with a self-signed certificate using CFNetwork on 10.12. I can reproduce the problem with the TLS Tool sample code; setting its launch arguments to "s_client -connect mail.antennasys.net:990 -noverify" and running on 10.11.6 yields:


* input stream did open

* output stream did open

* input stream has bytes

* protocol: TLS 1.2

* cipher: RSA_WITH_AES_256_GCM_SHA384

* trust result: recoverable trust failure

* certificate info:

* 0 + n/a 2048 (null) 'mail.antennasys.net'

220 ftp.antennasys.net X2 WS_FTP Server 7.6.2(64998024)

* output stream has space


On 10.12.2 I get:


* input stream did open

* output stream did open

2016-12-14 12:00:12.978490 TLSTool[1811:45353] CFNetwork SSLHandshake failed (-9807)

* error NSOSStatusErrorDomain / -9807

* bytes sent 0, bytes received 0

Program ended with exit code: 1


Is this a bug in 10.12, or is there something about this server and/or certificate that is no longer supported?

Note: I've reported this as Radar 29663330

Up vote post of JimMatthews Down vote post of JimMatthews
978 views
Posted by
JimMatthews
Reply
Add a Comment

Replies

I just tried this here in my office and it connected just fine:

$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.12.2
BuildVersion:  16C67
$
$ TLSTool s_client -connect mail.antennasys.net:990 -noverify
*  input stream did open
* output stream did open
*  input stream has bytes
* protocol: TLS 1.2
* cipher: RSA_WITH_AES_256_GCM_SHA384
* trust result: unspecified
* certificate info:
*  0 + rsaEncryption 2048 sha256-with-rsa-signature 'mail.antennasys.net'
*  1 + rsaEncryption 2048 sha256-with-rsa-signature 'DigiCert SHA2 Secure Server CA'
*  2 + rsaEncryption 2048 sha1-with-rsa-signature 'DigiCert Global Root CA'
220 ftp.antennasys.net X2 WS_FTP Server 7.6.2(29141472)
* output stream has space
^C

It also works without the 

-noverify
option.

Is it possible that this server has been updated to fix the problem? Or that the same DNS name connects to different servers depending on the location of the source? I’m connecting from my home network; perhaps this is an Inter- vs intranet thing?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment