Search code examples
iossslafnetworkingios9

Host supports TLS 1.2, AFNetworking handshake failing

I am trying to post to a server that supports TLS 1.2 -- at least when I perform a GET in a browser I can verify that the communication uses TLS 1.2 and that the cert is validated by a cert authority. However, when I try to POST in my code to that server using AFNetworking iOS 9.0 (13A4305g) / Xcode 7-beta4 I'm getting a handshake failure.

AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager];
manager.requestSerializer = [AFHTTPRequestSerializer serializerWithContentType:@"application/x-www-form-urlencoded"];    
manager.responseSerializer = [AFJSONResponseSerializer serializer];    
[manager POST:requestString parameters:@{ @"apiKey" : MY_API_KEY,
                                          @"payload" : [MyParams paramsForPOSTAsJSON] }
  success:^(AFHTTPRequestOperation *operation, NSDictionary *responseDict) {
      ...
} failure:^(AFHTTPRequestOperation *operation, NSError *error) {
      myLog(@"Communication failed: %@", error);
}];

The failure:

2015-08-06 15:01:08.398 MyApp[1795:394055] CFNetwork SSLHandshake failed (-9824)
2015-08-06 15:01:08.409 MyApp[1795:394055] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2015-08-06 15:01:08.412 MyApp[1795:393999] MyClass sendDataToServer Communication failed: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." ...

Am I missing something? How can I dig deeper? Suppose it is a problem with the server and not the code - how could I snoop that?

Solution

  • Steffen led me to the answer, and it was indeed that I needed the appropriate ciphers. An easy way to look at the supported ciphers on a port is the cipherscan tool. The ciphers supported for App Transport Security can be found here. Once I was able to test on a fully configured website, I did not need any kind of whitelisting. For TLS sites without the ciphers, I can set NSThirdPartyExceptionRequiresForwardSecrecy to false.

    UPDATE

    If you take beta 3 or above of OS X El Capitan, you can use the following command:

    nscurl --verbose --ats-diagnostics <host>

    This will tell you what entries you would need to add to your whitelist in order to make the connection succeed. This is a great help in demystifying SSL failures of type CFNetwork SSLHandshake failed (-9801).