Nsurlsession/Nsurlconnection Http Load Failed (Kcfstreamerrordomainssl, -9802)

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) on a subdomain?

App Transport Security is not just HTTP vs HTTPS. You need to be using properly configured servers+certificates to avoid an ATS issue. From the Apple docs [1]:

The server must support at least Transport Layer Security (TLS)
protocol version 1.2. Connection ciphers are limited to those that
provide forward secrecy. Certificates must be signed using a SHA256 or
greater signature hash algorithm, with either a 2048 bit or greater
RSA key or a 256 bit or greater Elliptic-Curve (ECC) key. Invalid
certificates result in a hard failure and no connection.

If you're on OS X 10.11 (or later), you can use nscurl to troubleshoot. Pop open a terminal and run this:

/usr/bin/nscurl --ats-diagnostics https://staging.ourdomain.com

[1] https://developer.apple.com/library/ios/technotes/App-Transport-Security-Technote/index.html

HTTPS request in iOS 9 : NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
corresponds to the server not supporting "Forward Secrecy".

To work around this, add a domain exception to .plist file as follows:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>test.testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
            <false/>
        </dict>
    </dict>
</dict>

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

Just Add following Dict in info.plist:

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/>
        <key>NSAllowsArbitraryLoadsInWebContent</key>
        <true/>
    </dict>

Xcode 7.3: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

THE SSL certificate used by your server is invalid, or your server is not https at all.

Please try connecting by using http:// instead of https://

PS: I am not able to open this link in my browser, https://api.domain.com:9002

but this could have been a placeholder, so please try this.

But otherwise, there is also a way, by which you can ignore the error:

WARNING - THIS WOULD ALSO make your code vulnerable to MitM attacks, So best this is to fix your SSL on server

Set your NSURLConnection delegate as self and add below code

    - (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
  return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
  if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
    if ([trustedHosts containsObject:challenge.protectionSpace.host])
      [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];

  [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
}

FOR NSURLSESSION check this answer, NSURLSession Delegate

---

UPDATE

Above code will be vulnerable to MitM attacks,

please check this SSL Pinning for NSURLSession, for a secured way.

---

Related Topics