ATS/SSL error on a valid https request (kCFNetworkCFStreamSSLErrorOriginalValue=-9858)

We've enabled ATS restrictions in our app, and everything works fine, except sometimes, randomly, the endpoint fails. I tried to google the error codes but they seem undocumented. It's a bit hard to provide additional details as the issue is random, but I was hoping someone at Apple could clarify the error codes and possible issues.


Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9858, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7b0c000b4690 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9858, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9858}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://redacted.url.com, NSErrorFailingURLStringKey=https://redacted.url.com, _kCFStreamErrorDomainKey=3}

error Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9858, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7b0c000b4690 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9858, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9858}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://redacted.url.com, NSErrorFailingURLStringKey=https://redacted.url.com, _kCFStreamErrorDomainKey=3}))


We've tried `nscurl --ats-diagnostics` on the URL, but everything is fine (and like I said it works most of the time, the issue is just randomly happening).

Replies

I tried to google the error codes but they seem undocumented.

FYI:

  • Error -1200 is

    NSURLErrorSecureConnectionFailed
    , which you can find in
    <Foundation/NSURLError.h>
    .
  • Error -9858 is

    errSSLHandshakeFail
    , which you can find in
    <Security/SecureTransport.h>
    .

The one that matters here is

errSSLHandshakeFail
. That’s a very generic error indicating that something went wrong during the TLS handshake. There’s no obvious way to map from that to a specific cause.

everything works fine, except sometimes, randomly, the endpoint fails

In my experience random TLS errors like this are usually the result of network infrastructure problems. For example, I’ve worked with a number of developers with symptoms like this and they were eventually tracked down to a redirector issue, a CDN issue, and so on.

The challenge here is proving to the folks who run your network infrastructure that it’s their fault (-: The best way to do that is to get an RVI packet trace of the problem. The packet trace will show each step of the TLS handshake, and you can use that as evidence to say “In this case the server did the right thing, but in this case it didn’t.”

You can learn more about RVI packet traces in QA1176 Getting a Packet Trace.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks 🙂 Will have a look