IronMan IronMan - 6 months ago 448
Objective-C Question

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) error in https connection

In iOS 9, I am hitting a request for the url using basic NSURLConnection.

NSOperationQueue *completionQueue = [NSOperationQueue mainQueue];
NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration defaultSessionConfiguration];
self.mURLSession = [NSURLSession sessionWithConfiguration:configuration delegate:nil delegateQueue:completionQueue];

NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:@""]];
NSURLSessionDataTask *dataTask = [self.mURLSession dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
[dataTask resume];

But getting this error

Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x7c1075e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorCodeKey=-9802, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerTrust=, kCFStreamPropertySSLPeerCertificates={type = immutable, count = 3, values = (
0 :
1 :
2 :
)}}}, _kCFStreamErrorCodeKey=-9802, NSErrorFailingURLStringKey=, NSErrorPeerCertificateChainKey={type = immutable, count = 3, values = (
0 :
1 :
2 :
)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=, NSErrorFailingURLKey=}

Even though this is https connection,why am I getting this strange error. Can anyone please let me know.


As per the Apple tech note, App Transport Security requires SHA-2. The S3 (and CloudFront) certificates are using SHA-1, which is why this failure is occurring.

The workaround is to set the NSExceptionRequiresForwardSecrecy to false. (This is until AWS moves to SHA-2 (by September 30th, 2015)).

SHA-1 Signature