CFNetwork IOS9 SSLHandshake -9847

every connection seems to fail (AFNetworking):


CFNetwork SSLHandshake failed (-9847)

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9847)


and the http://.... has been replaced with https://....


Jeeinc

Replies

Hi jeeinc,


today I read that iOS 9 is forcing connections that are using HTTPS to be TLS 1.2 to avoid recent vulnerabilities. So you have to ensure that your web server supports this version of the protocol. Otherwise you have to disable the App Transport Security in your app by adding this code snippet to your Info.plist:

<key>NSAppTransportSecurity</key>
  <dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
  </dict>


All the best,


Alex

It is worth adding that a similar problem (but with the code 9802) occurs when connecting to Amazon's AWS servers.


Amazon claim to support TLS 1.2, but I seem to remember from one of the WWDC talks that Apple want apps to connect to sites that support TLS 1.2 only, and not to sites that support both TLS 1.2 and earlier versions.


If this is true, it is a misguided policy by Apple and I have reported it as bug #21380214. Yes, connecting to TLS 1.2-only sites protects against man-in-the-middle downgrade attacks; but no site in the real world is likely to go TLS 1.2-only. The net result is that we, as developers, find ourselves using Alex's workround everywhere, disabling the protection that Apple were trying to give us.


I suggest careful monitoring of the situation and the issuing of bug reports as appropriate.

I've also run into this issue with AWS servers. Any updates? I'd hate to diable ATS.

It does not work for me...