I'm having a problem connecting to a server with a self-signed certificate using CFNetwork on 10.12. I can reproduce the problem with the TLS Tool sample code; setting its launch arguments to "s_client -connect mail.antennasys.net:990 -noverify" and running on 10.11.6 yields:
* input stream did open
* output stream did open
* input stream has bytes
* protocol: TLS 1.2
* cipher: RSA_WITH_AES_256_GCM_SHA384
* trust result: recoverable trust failure
* certificate info:
* 0 + n/a 2048 (null) 'mail.antennasys.net'
220 ftp.antennasys.net X2 WS_FTP Server 7.6.2(64998024)
* output stream has space
On 10.12.2 I get:
* input stream did open
* output stream did open
2016-12-14 12:00:12.978490 TLSTool[1811:45353] CFNetwork SSLHandshake failed (-9807)
* error NSOSStatusErrorDomain / -9807
* bytes sent 0, bytes received 0
Program ended with exit code: 1
Is this a bug in 10.12, or is there something about this server and/or certificate that is no longer supported?
Note: I've reported this as Radar 29663330