I have an intermittent occurrence of this error when attempting to load image files from twitter, with URLs such as this: https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg
Targeting ios8 and fails on two ios9 devices and simulator, intermittently, normally at least 20% of the time.
I have a test app with a Reload button which allows to retry. If the first time works, every subsequent reload seems to work (perhaps caching?). If the first time fails, eventually it'll load successfully after retrying a few times (say 5-10).
Surely twitter has appropriate SSL setup. What's going on?
I don't want to disable ALS completely or even just for this domain, ideally.
import UIKit
class ViewController: UIViewController {
@IBOutlet weak var myImageView: UIImageView!
@IBAction func didPressReload(sender: AnyObject) {
loadImage()
}
func loadImage() {
myImageView.imageFromUrl("https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg")
}
}
extension UIImageView {
public func imageFromUrl(urlString: String) {
if let url = NSURL(string: urlString) {
let request = NSURLRequest(URL: url)
NSURLConnection.sendAsynchronousRequest(request, queue: NSOperationQueue.mainQueue()) {
(response: NSURLResponse?, data: NSData?, error: NSError?) in
if (error != nil) {
NSLog("Failed to load URL \(response?.URL?.absoluteString): \(error)")
}
if let imageData = data as NSData? {
self.image = UIImage(data: imageData)
}
}
}
}
}
Error detail when it fails:
2016-06-18 18:17:19.975 TestSSL[1027:420188] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
2016-06-18 18:17:20.011 TestSSL[1027:420137] Failed to load URL nil: Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x14597da0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x146977b0>, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerCertificates=<CFArray 0x14595f90 [0x3b0ca840]>{type = immutable, count = 4, values = (
0 : <cert(0x14696590) s: *.twimg.com i: DigiCert High Assurance CA-3>
1 : <cert(0x14696a90) s: DigiCert High Assurance CA-3 i: DigiCert High Assurance EV Root CA>
2 : <cert(0x14696eb0) s: DigiCert High Assurance EV Root CA i: Baltimore CyberTrust Root>
3 : <cert(0x146971e0) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>
)}, NSErrorFailingURLStringKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg, NSErrorFailingURLKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg}}, _kCFStreamErrorCodeKey=-9802, NSErrorFailingURLStringKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg, NSErrorPeerCertificateChainKey=<CFArray 0x14595f90 [0x3b0ca840]>{type = immutable, count = 4, values = (
0 : <cert(0x14696590) s: *.twimg.com i: DigiCert High Assurance CA-3>
1 : <cert(0x14696a90) s: DigiCert High Assurance CA-3 i: DigiCert High Assurance EV Root CA>
2 : <cert(0x14696eb0) s: DigiCert High Assurance EV Root CA i: Baltimore CyberTrust Root>
3 : <cert(0x146971e0) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>
)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x146977b0>, NSErrorFailingURLKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg})
My mistake was assuming "surely twitter has appropriate SSL setup". I found through repeatedly reloading in Chrome, that sometimes only a SHA-1 certificate is provided.
Perhaps the fact twitter is trying to support legacy clients has something to do with it:
We’re doing our part by implementing SHA-256 certificates on our Twitter endpoints, and using cert switching to only serve SHA-1 certificates if we detect older clients without SHA-256 support.
from https://blog.twitter.com/2015/sunsetting-sha-1
It would seem twitter is getting confused sometimes. So my only choice would seem to be to allow ALS exceptions for my app.
I hope my self-answered question is useful for somebody else.