kCFStreamErrorDomainSSL -9807 error

I'm having issues when loading some our companies websites using ios9 GM in UIWebViews. One of the specific websites is talentworks.becpsn.com


I've tried multiple combinations of ATS including arbritrary loads and the forward secrecy mentioned in similar posts.


<key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>talentworks.becpsn.com</key> <dict> <key>NSExceptionRequiresForwardSecrecy</key> <false/> <key>NSIncludesSubdomains</key> <true/> <key>NSThirdPartyExceptionRequiresForwardSecrecy</key> <false/> </dict> </dict> </dict>




class is not key value coding-compliant for the key barStyle.

2015-09-15 19:43:25.978 Globe[36381:6181648] CFNetwork diagnostics log file created at: /Users/gjandrejko/Library/Developer/CoreSimulator/Devices/AE9FD741-AF4B-49F7-B861-733FECA0063B/data/Containers/Data/Application/A8EE5393-7AB5-4638-8DEC-320159E2FF4B/Library/Logs/CrashReporter/CFNetwork_com.bechtel.poma..Globe_36381.nwlrb.log

2015-09-15 19:43:26.348 Globe[36381:6181669] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9807)

2015-09-15 19:43:26.352 Globe[36381:6181603] ERROR:Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “talentworks.becpsn.com” which could put your confidential information at risk." UserInfo={NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “talentworks.becpsn.com” which could put your confidential information at risk., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x787beb40 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “talentworks.becpsn.com” which could put your confidential information at risk." UserInfo={NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “talentworks.becpsn.com” which could put your confidential information at risk., _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x79985740>, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerCertificates=<CFArray 0x786ae5c0 [0x22eb098]>{type = immutable, count = 4, values = (

0 : <cert(0x799835f0) s: MSAN.becpsn.com i: IEXTCA-SSL.ibechtel.com>

1 : <cert(0x79983cc0) s: IEXTCA-SSL.ibechtel.com i: Bechtel External Policy CA 1>

2 : <cert(0x79984150) s: Bechtel External Policy CA 1 i: Baltimore CyberTrust Root>

3 : <cert(0x79985220) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>

)}, NSErrorFailingURLStringKey=https:/

0 : <cert(0x799835f0) s: MSAN.becpsn.com i: IEXTCA-SSL.ibechtel.com>

1 : <cert(0x79983cc0) s: IEXTCA-SSL.ibechtel.com i: Bechtel External Policy CA 1>

2 : <cert(0x79984150) s: Bechtel External Policy CA 1 i: Baltimore CyberTrust Root>

3 : <cert(0x79985220) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>

)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x79985740>, NSErrorFailingURLKey=https://talentworks.becpsn.com/}

We've been stuck for several days on this issue. Any help would be greatly appreciated.

Replies

Error -9807 is

errSSLXCertChainInvalid
, meaning there’s a trust evaluation problem. This isn’t an ATS issue because even when you disable all of ATS (via the property list additions shown below) things still fail.
<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

I poked around this for a bit and iOS 9 really doesn’t like the

MSAN.becpsn.com
leaf certificate. Trust evaluation works just fine on the intermediates leading to that, but always fails on the leaf.
SecTrustCopyProperties
returns this:
(
    {
        type = error;
        value = "Policy requirements not met.";
    }
)

The policy complaining is the basic X.509 policy not the TLS policy, because if I do a manual trust evaluation using

SecPolicyCreateBasicX509
I get the same result.

Looking through the leaf certificate I can’t see why it would fail the basic X.509 policy. iOS 9 is pretty strict about following the rules in RFC 5280, but I can’t see any place where the leaf is breaking those rules.

Finally, I should note that accessing talentworks.becpsn.com from Safari on iOS 9 also fails, so this isn’t just restricted to your app.

You should definitely file a bug about this. Even if the problem is caused by an obscure error in your server’s certificate chain, this still belongs in Radar as a compatibility concern. Once you’ve filed a bug, please post your bug number, just for the record.

Finally, there are a few more checks I can run for this but I don’t have time in the context of DevForums. If you open a DTS tech support incident, I can dig deeper into this.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I opened a DTS ticket. 628342917 Can you dig deeper and run your additional checks.

FYI iOS 9 has confirmed problem (bug) with X509v3 Name Constraints OID 2.5.29.30 nd your Bechtel External Policy CA 1 uses these constraints. This also has hit us as our CA use constraints so our apps now return -9802 error even on 10.11 nscurl --ats-diagnostics goes well.

So currently only workaround is either wait for iOS hotfix for that or use CA/certs without such constraints.

FYI iOS 9 has confirmed problem (bug) with X509v3 Name Constraints …

Do you have a bug number for that?

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Do you have a bug number for that?

OK, to answer my own question, this is (r. 22722531).

iOS 9 has started enforcing the Name Constraint extension as part of the Basic X.509 trust policy (

SecPolicyCreateBasicX509
). This affects HTTPS server trust evaluation and pretty much every other trust evaluation on the system.

There’s at least one bug in how iOS 9 handles this but, beyond that, the complexity of the relevant standards means that the Name Constraint extension is set up in lots of different ways in the real world, some of which we would consider to be incorrect. We plan to resolve this issue in a future version of iOS by a) fixing the things that are definitely bugs, and b) being a little less aggressive in how we enforce this trust policy.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I'm also experiencing this problem in iOS 10. I got 'kCFStreamErrorDomainSSL, -9807' error. My code works fine in iOS 9.X but the problem appears in iOS 10.X. What should I do to solve this problem?


Any help would be appreciated.

As I explained earlier, error -9807 is

errSSLXCertChainInvalid
, which indicates that there’s a problem with TLS server trust evaluation. Trust evaluation can fail for a variety of reasons, and it’s unlikely that the underlying cause is the same as gjandrejko was seeing.

Please do some debugging and, if that doesn’t reveal the problem, start a new thread with your results. Specifically:

  1. Create a small test app that fetches a resource from your server and see if that reproduces the problem.

  2. If so, disable ATS on that app to see if that improves things.

  3. If you’re still having problems, grab a copy of the TLSTool sample code, run it against your server as shown below (substituting your server name and port for

    example.com:443
    ), then post the results.
$ TLSTool s_client -connect example.com:443 -noverify -showcerts

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Was a new thread opened on this by chance? IF so I'd appreciate a link. Thanks

Your comment (and README for TLSTool) imply there is some TLSTool executable somewhere in the downloaded sample code. That doesn't appear to be the case.


From the README:

1. In Terminal, change into the directory containing the tool.


Which directory? I tried every directory, but no directories contain a TLSTool executable file.


UPDATE:

Nevermind, it appears after running the project the executable can be found in


/Users/username/Library/Developer/Xcode/DerivedData/TLSTool-dfqcdkbvosmskwbfeeojfkxrcgyf/Build/Products/Debug