kCFStreamErrorDomainSSL, -9802 when connecting to a server by IP address through HTTPS in iOS 9

Ryan Fung picture Ryan Fung · Jun 11, 2015 · Viewed 31.9k times · Source

We have an iOS app that connects to our server through HTTPS. When the app is built with the new iOS 9 SDK and ran under iOS 9, the following error occurs:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

The app uses AFNetworking 1.3.4 with pinned certs. The problem occurs if I connect to the server with its IP address. It works if I add the NSAllowsArbitraryLoads config, or if I connect to the server with its domain name.

The Tomcat connector is configured with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2".

I have tried overriding the host name but it doesn't seem to change anything.

I can't find much official documentation on ATS yet. Maybe connecting with IP address is not supposed to work?

Answer

zaph picture zaph · Jun 11, 2015

iOS9 requires the server to only support TLSv1.2 and support perfect forward security.

Also required is for the app to support IPV6 including not using hard-coded IP addresses. Suggested is to use NSURLSession. Otherwise exception additions must be made in the app plist.

See the WWDC-15 session "Security and your Apps".

Also see Steven Peterson's Blog for details.