CFNetwork SSLHandshake failed (-9806)

Hi,

We are getting above error when trying to connect to mobile.betway.com from UIWebview. This is reproducible 10% of the time on a stable wifi network and about 60% of the time when switching from wifi to 4G or other network. We have tried adding expection in plist but the result is the same. The website is however ATS complaint (https://www.ssllabs.com/ssltest/analyze.html?d=mobile.betway.com) and here is the ats-diagnosis:


nscurl --ats-diagnostics http://mobile.betway.com

Starting ATS Diagnostics



Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://mobile.betway.com.

A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.

Use '--verbose' to view the ATS dictionaries used and to display the error received in URLSession:task:didCompleteWithError:.

================================================================================



Default ATS Secure Connection

---

ATS Default Connection

Result : PASS

---



================================================================================



Allowing Arbitrary Loads



---

Allow All Loads

Result : PASS

---



================================================================================



Configuring TLS exceptions for mobile.betway.com



---

TLSv1.2

Result : PASS

---



---

TLSv1.1

Result : PASS

---



---

TLSv1.0

Result : PASS

---



================================================================================



Configuring PFS exceptions for mobile.betway.com



---

Disabling Perfect Forward Secrecy

Result : PASS

---



================================================================================



Configuring PFS exceptions and allowing insecure HTTP for mobile.betway.com



---

Disabling Perfect Forward Secrecy and Allowing Insecure HTTP

Result : PASS

---



================================================================================



Configuring TLS exceptions with PFS disabled for mobile.betway.com



---

TLSv1.2 with PFS disabled

Result : PASS

---



---

TLSv1.1 with PFS disabled

Result : PASS

---



---

TLSv1.0 with PFS disabled

Result : PASS

---



================================================================================



Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for mobile.betway.com



---

TLSv1.2 with PFS disabled and insecure HTTP allowed

Result : PASS

---



---

TLSv1.1 with PFS disabled and insecure HTTP allowed

Result : PASS

---



---

TLSv1.0 with PFS disabled and insecure HTTP allowed

Result : PASS

---



================================================================================

Up vote post of shri.derivco Down vote post of shri.derivco
682 views
Posted by
shri.derivco
Reply
Add a Comment

Replies

Error -9806 is 

errSSLClosedAbort
, a very generic TLS error that indicates that the TLS connection closed due to a networking error. Given that things work most of the time, this clearly isn’t an ATS restriction (ATS’s enhanced security requirements apply to every connection). In my experience intermittent issues like this are usually caused by server-side problems, and a common subcategory of that is issues with your load balancer or redirector. The next step is to debug this at the packet trace level, preferably with input from whoever runs your server.

You can get a packet trace from the iOS device’s perspective — an RVI packet trace — using the instructions in QA1176 Getting a Packet Trace.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment