6

I have an iOS app, which works fine on iOS7. Now we are testing it on iOS8, and when running under iOS8, we have SSL issues. Some (but not all) SSL requests fail. All requests are against the same server, with a SSL certificate that is valid, and works on desktop, and works when the same app is running iOS7.

The error we are getting is kCFURLErrorSecureConnectionFailed, which Apple documents to be:

The secure connection failed for an unknown reason.

Also, I get the following logged in the console:

CFNetwork SSLHandshake failed (-9846)

We are using NSURLConnection. We have implemented connection: willSendRequestForAuthenticationChallenge, but it does not get called when we get the error.

Do anyone know if this is a known iOS8 issue? What would be my next steps to finding out, why these requests fail?

Dmytro Plekhotkin
  • 1,965
  • 2
  • 23
  • 47
driis
  • 161,458
  • 45
  • 265
  • 341

2 Answers2

5

The error you are seeing is a SecureTransport error. Error -9846 is errSSLBadRecordMac. This is a transport level error in the SSL mechanism, and is typically caused by a bug in the implementation - Apple's, not yours in this case. Please reduce it to a test case and file a bug:

https://bugreport.apple.com

quellish
  • 21,123
  • 4
  • 76
  • 83
1

This turned out to actually be a bug in the firmware for the loadbalancer running the site. We upgraded the firmware, and everything now works as expected.

driis
  • 161,458
  • 45
  • 265
  • 341
  • If it was an issue with the loadbalancer, how come it was working fine for iOS 7? I am facing the same issue in my application. I would appreciate if you can provide a little more explanation. – Sahitya Tarumani Sep 30 '14 at 12:01
  • I _think_ the reason it did not happen on iOS7, is that iOS8 updates it's preferred cipher suites, and the bug on the loadbalancer was local to a specific cipher suite. So pretty much, iOS8 negotiates a different cipher, which happened to be buggy on our particular version of the loadbalancer. (Sorry, can't share version details). – driis Oct 01 '14 at 17:32