ATS tls_handshake[-9024] error

The problem is till iOS 8.2 …

I’m confused by this. Are you saying that:

• The problem affects iOS 8.2 and later?

• The problem affects iOS releases after 8.2?

• The problems affects iOS 8.2 and earlier?

• The problem affects iOS releases before 8.2?

If I am setting NSAllowsArbitraryLoads to 'true' the error which I am getting is "

nw_coretls_read_one_record tls_handshake_process: [-9824]

" small and confusing.

Error -9824 is

errSSLPeerHandshakeFail

NSAllowsArbitraryLoads

In my experience the best next step here is to take a packet trace of the failing connection and see where things go wrong. It’s useful to compare this failing packet trace with a packet trace of a working connection.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hey eskimo,

I was tring to say this application is working fine in iOS 8.2 simulator, but when i am using 10.2 i am getting this error. So i guessed its due to ATS.

And on the server side tomcat server 8 is deployed. All services are http and not https. hope this helps you to guess what can be the issue.

Meanwhie i will try by packet trace.

One more question, if it is not ATS issue. why my application is working with iOS 8.2 simulator. 😟

Please help.

I tried charles proxy for packet trace.

when using ios 8.2 simulator, charles traces the http request and shown result but when i am using 10.2 simulator no results for http requests are showing.

-9824 error comes in xcode console just after load of application and prevent calling to any http services i guess.

How can i solve this issue?

Does i have to change all http to https service and install SSL certificates in Server or is there any alternative avaliable?

i have done nscurl -ats-diagnostics to the url, below is the result. It is coming as FAIL for every option

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1004 "Could not connect to the server." UserInfo={NSUnderlyingError=0x7ff200f222b0 {Error Domain=kCFErrorDomainCFNetwork Code=-1004 "(null)" UserInfo={_kCFStreamErrorCodeKey=61, _kCFStreamErrorDomainKey=1}}, NSErrorFailingURLStringKey=https://myURL, NSErrorFailingURLKey=https://myURL, _kCFStreamErrorDomainKey=1, _kCFStreamErrorCodeKey=61, NSLocalizedDescription=Could not connect to the server.}

Note: I have edited URL in this paragraph and changed to https://myURL.

I was tring to say this application is working fine in iOS 8.2 simulator, but when i am using 10.2 i am getting this error. So i guessed its due to ATS.

I’m sorry but that’s a false conclusion. If you disable ATS for your entire process using

NSAllowsArbitraryLoads

I tried charles proxy for packet trace.

That’s a mistake. Debugging proxies are an excellent technology for investigating HTTP level issues (including HTTP inside TLS, that is, HTTPS) but the problem you’re having is at the TLS level. You should use an RVI packet trace to investigate this.

Is your server on the public Internet? If so, post the URL (or email it to me if you want to keep it private; my email address is in my signature) and I can take a quick look at it.

If the server is not on the public Internet then things get trickier. Post a follow up in that case and I’ll outline the next steps to take here.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks eskimo,

Thats not a public URL. I will go through your steps and keep you updated.

I appreciate your effort to help me out.

Regards,

Shrish

Thats not a public URL.

Bummer.

To debug this further, I recommend you download the TLSTool sample code and build it on a modern Mac. You can then run the tool like this:

$ ./TLSTool s_client -connect example.com:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.2
* cipher: ECDHE_RSA_WITH_AES_128_GCM_SHA256
* trust result: unspecified
* certificate info:
*  0 + rsaEncryption 2048 sha256-with-rsa-signature 'www.example.org'
*  1 + rsaEncryption 2048 sha256-with-rsa-signature 'DigiCert SHA2 High Assurance Server CA'
*  2 + rsaEncryption 2048 sha1-with-rsa-signature 'DigiCert High Assurance EV Root CA'
^C

If it fails to connect, add the

-noverify

-min ssl3_0

Post your results and we’ll see where that gets us.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I'm not able to run TLSTool in my system. when I change the directory to TLSTool and run the command, it shows "-bash: ./TLSTool: is a directory".

I am using macOS Sierra 10.12.3.

May be its due to an older version of OS.

Here are the results from TLSTool.

1178477-C02GP1R5DV11:Debug Shrish$ ./TLSTool s_client -connect smartpm.am.health.ge.com:80

* input stream did open

* output stream did open

2017-04-28 13:30:44.453 TLSTool[11871:271959] CFNetwork SSLHandshake failed (-9806)

* error NSOSStatusErrorDomain / -9806

* bytes sent 0, bytes received 0

With -noverify:

1178477-C02GP1R5DV11:Debug Shrish$ ./TLSTool s_client -connect smartpm.am.health.ge.com:80 -noverify

* input stream did open

* output stream did open

2017-04-28 13:41:34.461 TLSTool[12071:279652] CFNetwork SSLHandshake failed (-9806)

* error NSOSStatusErrorDomain / -9806

* bytes sent 0, bytes received 0

with -noverify and -min ssl

1178477-C02GP1R5DV11:Debug Shrish$ ./TLSTool s_client -connect smartpm.am.health.ge.com:80 -noverify -min ssl3_0

* input stream did open

* output stream did open

2017-04-28 13:41:49.052 TLSTool[12075:279815] CFNetwork SSLHandshake failed (-9806)

* error NSOSStatusErrorDomain / -9806

* bytes sent 0, bytes received 0

1178477-C02GP1R5DV11:Debug Shrish$

with min and max ssl

1178477-C02GP1R5DV11:Debug Shrish$ ./TLSTool s_client -connect smartpm.am.health.ge.com:80 -noverify -min ssl3_0 -max ssl3_0

* input stream did open

* output stream did open

2017-04-28 13:49:20.791 TLSTool[12196:283588] CFNetwork SSLHandshake failed (-9806)

* error NSOSStatusErrorDomain / -9806

* bytes sent 0, bytes received 0

the services to the backend are bind like this.

http://smartpm.am.health.ge.com:80/SmartPM/service/user/blah-blah

without '/SmartPM/' after the port 80 the url is incomplete.

$ ./TLSTool s_client -connect smartpm.am.health.ge.com:80

I’m very confused by this. Are you running HTTPS on port 80? That’s the port for HTTP. I usually see HTTPS running over port 443.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

its HTTP only. Not https

I have already mentioned all services are HTTP only.

HTTP services will not work after iOS 9?

Ah, sorry, I misunderstood.

You need to go back and take another look at

NSAllowsArbitraryLoads

If you can’t get it working please post a dump of the

Info.plist

$ plutil -convert xml1 -o /dev/stderr /Users/quinn/Desktop/xxsi/build/Debug-iphoneos/xxsi.app/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    …
    <key>CFBundleIdentifier</key>
    <string>com.example.apple-samplecode.eskimo1.xxsi</string>
    <key>CFBundleShortVersionString</key>
    <string>1.0</string>
    …
</plist>

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi,

Sorry for the late reply.

Below is the infolist file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>NSAppTransportSecurity</key>
    <dict>
      <key>NSAllowsArbitraryLoads</key>
      <true/>
    </dict>
    <key>CFBundleDevelopmentRegion</key>
    <string>English</string>
    <key>CFBundleDisplayName</key>
    <string>SmartPM</string>
    <key>CFBundleExecutable</key>
    <string>${EXECUTABLE_NAME}</string>
    <key>CFBundleIcons</key>
    <dict/>
    <key>CFBundleIcons~ipad</key>
    <dict/>
    <key>CFBundleIdentifier</key>
    <string>com.ge.smartpm</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
    <string>${PRODUCT_NAME}</string>
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleShortVersionString</key>
    <string>1.0.0</string>
    <key>CFBundleSignature</key>
    <string>????</string>
    <key>CFBundleVersion</key>
    <string>1.0.0</string>
    <key>LSRequiresIPhoneOS</key>
    <true/>
    <key>NSMainNibFile~ipad</key>
    <string/>
    <key>UIRequiresFullScreen</key>
    <true/>
    <key>UISupportedInterfaceOrientations</key>
    <array>
      <string>UIInterfaceOrientationPortrait</string>
      <string>UIInterfaceOrientationLandscapeLeft</string>
      <string>UIInterfaceOrientationLandscapeRight</string>
    </array>
    <key>UISupportedInterfaceOrientations~ipad</key>
    <array>
      <string>UIInterfaceOrientationPortrait</string>
      <string>UIInterfaceOrientationLandscapeLeft</string>
      <string>UIInterfaceOrientationPortraitUpsideDown</string>
      <string>UIInterfaceOrientationLandscapeRight</string>
    </array>
  </dict>
</plist>

Let me know if there is some error.

This infolist is automatically created by apache cordova build.

Regards,

Shrish