I had a related issue a while ago explained in this thread. Now, when trying to connect to s3.amazonaws.com, I'm getting a -9802 error. As per the other thread, I used TLSTool to help discover the security settings for the problematic URL, "https://s3.amazonaws.com/...":
$ TLSTool s_client -connect s3.amazonaws.com:443
* input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.2
* cipher: ECDHE_RSA_WITH_AES_128_CBC_SHA
* trust result: unspecified
* certificate subjects:
* 0 s3.amazonaws.com
* 1 VeriSign Class 3 Secure Server CA - G3
* 2 VeriSign Class 3 Public Primary Certification Authority - G5
* input stream has bytes
* input stream end
* close
* bytes sent 0, bytes received 0
Note that the protocol is TLSv1.2 and that the cipher is in the approved list in the Apple Doc specifying the requirements.
Then, I tried playing around with exceptions settings in my plist, and found the magic values (actually, not sure I need the NSIncludesSubdomains):
<key>s3.amazonaws.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
What's up? Why do I need NSExceptionRequiresForwardSecrecy when I the site uses ECDHE_RSA_WITH_AES_128_CBC_SHA (on the list of approved forward ciphers) - bug? Am I missing some other red flag in the TLSTool output?
[I'm using the latest Xcode 7b4 ...]