iOS : NSInputStream / NSOutputStream - CFNetwork SSLHandshake failed (-9806)

Question

I'm trying to open an input/output stream to a secure server but keep getting CFNetwork SSLHandshake failed (-9806)

I have set the plist values for exception domains etc

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>someserver.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.0</string>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

I also tried this in plist:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Here is my code:

-(void)startStream{


NSString *urlStr = @"https://stream.someserver.com";
NSURL *website = [NSURL URLWithString:urlStr];


CFReadStreamRef readStream;
CFWriteStreamRef writeStream;
CFStreamCreatePairWithSocketToHost(NULL, (CFStringRef)CFBridgingRetain([website host]), 443, &readStream, &writeStream);

NSInputStream *inputStream = (__bridge_transfer NSInputStream *)readStream;
NSOutputStream *outputStream = (__bridge_transfer NSOutputStream *)writeStream;


[inputStream setDelegate:self];
[outputStream setDelegate:self];

[inputStream scheduleInRunLoop:[NSRunLoop currentRunLoop] forMode:NSDefaultRunLoopMode];
[outputStream scheduleInRunLoop:[NSRunLoop currentRunLoop] forMode:NSDefaultRunLoopMode];


NSMutableDictionary *settings = [NSMutableDictionary dictionaryWithCapacity:1];
[settings setObject:(NSString *)NSStreamSocketSecurityLevelTLSv1 forKey:(NSString *)kCFStreamSSLLevel];
[settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLValidatesCertificateChain];
[settings setObject:@"stream.someserver.com" forKey:(NSString *)kCFStreamSSLPeerName];

CFWriteStreamSetProperty((CFWriteStreamRef)outputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);
CFReadStreamSetProperty((CFReadStreamRef)inputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);


[inputStream open];
[outputStream open];

}

There is a about a 5 second delay after the stream is open before the CFNetwork SSLHandshake failed (-9806) error is thrown.

NOTE: The secure server is not mine and I cannot change any settings there. It is a tested and established server with many users streaming

Answer 1

I'm not sure which stage fails in the ssl connection handshake, but you can try to change the settings dictionary to something like this:

 NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
                          [NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates,
                          [NSNumber numberWithBool:YES], kCFStreamSSLAllowsAnyRoot,
                          [NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredRoots,
                          [NSNumber numberWithBool:NO], kCFStreamSSLValidatesCertificateChain,
                          //kCFNull,kCFStreamSSLPeerName,
                          kCFStreamSocketSecurityLevelSSLv3, kCFStreamSSLLevel,
                          [NSNumber numberWithBool:YES], kCFStreamPropertyShouldCloseNativeSocket,
                          nil];

And then if succeeded, remove each "Security breach" defined above.

Answer 2

Looking at Apple documentation it seems you are using wrong keys.

For example

• NSThirdPartyExceptionMinimumTLSVersion must be NSExceptionMinimumTLSVersion
• NSTemporaryExceptionAllowsInsecureHTTPLoads must be NSExceptionAllowsInsecureHTTPLoads
• and ecc...

Answer 3

In your SSL settings, set kCFStreamSSLValidatesCertificateChain to @NO to completely disable server trust evaluation.

In your delegate implementation, when you first get the NSStreamEventHasSpaceAvailable or NSStreamEventHasBytesAvailable status, then retrieve the kCFStreamPropertySSLPeerTrust property from the stream.

You should get back a SecTrustRef, which you can evaluate and get information about:

SecTrustRef trust = (SecTrustRef)[stream propertyForKey:kCFStreamPropertySSLPeerTrust];
SecTrustResultType trustResult;
OSStatus status = SecTrustEvaluate(trust, &trustResult);
if (status != errSecSuccess) {
    NSLog(@"failed to evaluate");
} else {
    OSStatus trustResultCode = SecTrustGetTrustResult(trust, &trustResult);
}

The final trustResultCode should give you a specific reason why trust evaluation failed. Depending upon what that specific reason is, you can modify the SecTrustRef or create a whole new one to get a successful evaluation.

The Apple Tech Note HTTPS Server Trust Evaluation is really informative.