Ryan Fung Ryan Fung - 2 months ago 36
iOS Question

kCFStreamErrorDomainSSL, -9802 when connecting to a server by IP address through HTTPS in iOS 9

We have an iOS app that connects to our server through HTTPS. When the app is built with the new iOS 9 SDK and ran under iOS 9, the following error occurs:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)


The app uses AFNetworking 1.3.4 with pinned certs. The problem occurs if I connect to the server with its IP address. It works if I add the NSAllowsArbitraryLoads config, or if I connect to the server with its domain name.

The Tomcat connector is configured with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2".

I have tried overriding the host name but it doesn't seem to change anything.

I can't find much official documentation on ATS yet. Maybe connecting with IP address is not supposed to work?

Answer

iOS9 requires the server to only support TLSv1.2 and support perfect forward security.

Also required is for the app to support IPV6 including not using hard-coded IP addresses. Suggested is to use NSURLSession. Otherwise exception additions must be made in the app plist.

See the WWDC-15 session "Security and your Apps".

Also see Steven Peterson's Blog for details.

Comments