18

I'm using the new FireBase SDK introduced at I/O 2016 and I'm getting this error after integrating with my app. This happens at app launch.

2016-08-06 06:28:06.237 MyApp[49084:2511094] CFNetwork SSLHandshake failed (-9806)
2016-08-06 06:28:06.238 MyApp[49084:2511094] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)
2016-08-06 06:28:06.453 MyApp[49084:2511094] CFNetwork SSLHandshake failed (-9806)
2016-08-06 06:28:06.454 MyApp[49084:2511094] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)

2016-08-06 06:28:06.854 MyApp[49084:2510825] <Firebase/Network/ERROR> Encounter network error. Error: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x7bf93200 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorCodeKey=-9806, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7bc97840>, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7bcf2420 [0x477d1f8]>{type = immutable, count = 3, values = (
0 : <cert(0x7bc96990) s: *.googleapis.com i: Google Internet Authority G2>
1 : <cert(0x7bc96fb0) s: Google Internet Authority G2 i: GeoTrust Global CA>
2 : <cert(0x7bc97360) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>)}}}, _kCFStreamErrorCodeKey=-9806, NSErrorFailingURLStringKey=https://play.googleapis.com/log, NSErrorPeerCertificateChainKey=<CFArray 0x7bcf2420 [0x477d1f8]>{type = immutable, count = 3, values = (
0 : <cert(0x7bc96990) s: *.googleapis.com i: Google Internet Authority G2>
1 : <cert(0x7bc96fb0) s: Google Internet Authority G2 i: GeoTrust Global CA>
2 : <cert(0x7bc97360) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7bc97840>, NSErrorFailingURLKey=https://play.googleapis.com/log}

2016-08-06 06:28:06.856 MyApp[49084:] <FIRAnalytics/ERROR> Encounter network error. Error: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x7b968c00 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorCodeKey=-9806, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7b9abbb0>, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7b8a2420 [0x477d1f8]>{type = immutable, count = 3, values = (
    0 : <cert(0x7b9aaf40) s: *.google-analytics.com i: Google Internet Authority G2>
    1 : <cert(0x7b9ab280) s: Google Internet Authority G2 i: GeoTrust Global CA>
    2 : <cert(0x7b9ab630) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>
)}}}, _kCFStreamErrorCodeKey=-9806, NSErrorFailingURLStringKey=https://app-measurement.com/config/app/1:926356559846:ios:74ac6682756d2bd6?app_instance_id=7590DD8CDAF44A3ABE3F39478A9EB2BE&platform=ios&gmp_version=3201, NSErrorPeerCertificateChainKey=<CFArray 0x7b8a2420 [0x477d1f8]>{type = immutable, count = 3, values = (
    0 : <cert(0x7b9aaf40) s: *.google-analytics.com i: Google Internet Authority G2>
    1 : <cert(0x7b9ab280) s: Google Internet Authority G2 i: GeoTrust Global CA>
    2 : <cert(0x7b9ab630) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>
)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7b9abbb0>, NSErrorFailingURLKey=https://app-measurement.com/config/app/1:926356559846:ios:74ac6682756d2bd6?app_instance_id=7590DD8CDAF44A3ABE3F39478A9EB2BE&platform=ios&gmp_version=3201}
MandisaW
  • 971
  • 9
  • 21
ArdenDev
  • 4,051
  • 5
  • 29
  • 50

3 Answers3

8

This is caused by App Transport Security on iOS 9+. Apple imposed restrictions on SSL certificates that not all servers meet.

If you owned the server that is generating this message, I would advise updating to a more secure, modern SSL server certificate. But since it is Google/Firebase's server, all we can do is disable App Transport Security specifically for this domain.

Here is the part listing the domain:

NSErrorFailingURLStringKey=https://app-measurement.com...

You need to add this domain to your Info.plist file as follows:

<key>NSExceptionDomains</key>
<dict>
    <!-- Firebase/Google Analytics server - Disables App Transport Security for this specific domain -->
    <key>app-measurement.com</key>
    <dict>
        <key>NSExceptionAllowsInsecureHTTPLoads</key>
        <true/>
    </dict>
</dict>

Keep in mind that allowing insecure connections from a third-party server does potentially introduce a security vulnerability to your app. However, if you are not sending any sensitive data to the Analytics server (which you shouldn't do anyway), then the exposure should be minimal.

According to Apple's ATS documentation, including any ATS exceptions will trigger a review the next time you submit to the App Store, so you may want to consider that as well.

MandisaW
  • 971
  • 9
  • 21
5

The problem is with the network. Sometimes the network condition is too slow that the network times out and the SSL checking cannot be made on time. This also happens more often on iOS 9.x which requires better security. What kind of iOS version and which device did you run it on? Did it happen all the time at start?

adbitx
  • 2,019
  • 8
  • 13
  • I'm on iOS 9.3 running on the simulator. It happens very frequently. I'm just integrating with FireBase and I haven't deployed this version to production yet. – ArdenDev Aug 09 '16 at 01:07
  • I have been trying to reproduce and it occurred most frequently when I was on very poor wireless connection [link](https://www.dropboxforum.com/hc/en-us/community/posts/201866899-Dropbox-throwing-SSL-errors-for-some-users). With good wifi, the problem rarely happened. From my research, the code -9806 means something is wrong with the connection and the connection was aborted so the handshake would not be completed. Firebase Analytics will retry to upload data again later so I don't think it's a breaking problem. – adbitx Aug 10 '16 at 16:23
  • 1
    Is there some debug logging I can enable to help trace this issue ? As I mentioned this issue happens very frequently and I'm on WIFI – ArdenDev Aug 15 '16 at 14:44
  • You can enable the debug log by using the argument [-FIRAnalyticsDebugEnabled](https://developer.apple.com/library/ios/recipes/xcode_help-scheme_editor/Articles/SchemeRun.html). It will show you what is going on with the network. You may notice the network reachability and network SSL process. Please let me know if you find anything peculiar. – adbitx Aug 16 '16 at 16:53
  • Just an FYI, when I brought one of the apps I'm working on into Xcode 8 GM seed I started seeing these messages on a device. I switched the device over to LTE and all was good - carry on.. – chinjazz Sep 08 '16 at 14:50
0

Check bundle identifier with correct signing certificate. might help.

Wirat Leenavonganan
  • 111
  • 1
  • 5
  • 2
    Note: answers that are very brief and/or are questions back to the poster should probably be comments. – Tyler2P Apr 02 '21 at 10:58