Re: App linked with older SDK get SSL error -9806, newer linkage avoids it
Re: App linked with older SDK get SSL error -9806, newer linkage avoids it
- Subject: Re: App linked with older SDK get SSL error -9806, newer linkage avoids it
- From: Daniel Jalkut <email@hidden>
- Date: Tue, 10 Mar 2015 11:04:22 -0400
Hi Bob, thanks for the tip! This was a great lead and with it I discovered that, indeed, the problem is rooted in the TLS version being used by my app (TLS 1.0), and the customer’s site being configured not to support it.
So the mystery is solved, but it raises the question: why doesn’t OS X default to the best possible TLS version, even for apps that were linked against older SDKs? I have never made any specific TLS selections when configuring my CFNetwork streams, and expected that it would just "do the right thing," where "right" means the safest, most compatible, best choices for users.
It looks like I may be able to manually override the SSL settings for the stream using kCFStreamPropertySSLSettings. Does anybody have experience doing this, and recommend what I should set it to if I want to encourage my app to use TLS 1.2 whenever possible, but to continue falling back to TLS 1.0 when necessary?
Longer term it seems like the problem will be solved by linking against newer SDKs. I can do that for major updates to my app but for the current version I need to continue building against the 10.6 SDK for any updates I release.
Daniel
> On Mar 10, 2015, at 9:32 AM, Bob DeRosa <email@hidden> wrote:
>
> I'm wondering if it is some sort of SSL negotiation that is failing. A lot of servers are configured to no long support SSL and only support later versions of TLS. Also some of the older encryption ciphers have been disabled for security reasons.
>
> If you can request URLs in the client you can check what it supports with, https://www.howsmyssl.com/.
>
> You can use this website to test the server https://www.ssllabs.com/ssltest/.
>
>
> -----Original Message-----
> From: macnetworkprog-bounces+derosa=email@hidden [mailto:macnetworkprog-bounces+derosa=email@hidden] On Behalf Of Daniel Jalkut
> Sent: Monday, March 09, 2015 11:32 PM
> To: email@hidden
> Subject: App linked with older SDK get SSL error -9806, newer linkage avoids it
>
>
> One of my customers is running into cryptic -9806 SSL connection errors with MarsEdit when connecting to his blog. I’ve confirmed the problems but what is strange is the issues only occur with versions of my app that were built with an older SDK (10.6 in this case). If I build and run my app against a newer SDK such as 10.10, the connection errors don’t occur.
>
> The connection errors occur at seemingly any level of the networking stack, from my direct use of CFNetwork up through implicit use of NSURLConnection via WebKit1 WebViews in my app.
>
> The issue does not affect all SSL URLs, but does seem to affect any SSL negotiation with this specific host. The failure seems to happen at the CONNECT negotiation phase.
>
> I don’t want to share the URL before I get his clearance to do so, but does this sound familiar to anybody? I’m guessing that by linking with the older SDK I'm locking my app into an older code path for some of the SSL stuff?
>
> The customer in question is technically astute and I think he would be eager to e.g. have his certificate repaired or amended if appropriate. The certificate doesn’t show any issues if examined for trust in e.g. Safari.
>
> Any hints about how I might be able to track down the cause of the connection failures and either work around them in the app (short of linking against a later SDK, I’m not ready yet for production releases), or advise him how to work around it by changing the configuration of the server?
>
> Daniel
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macnetworkprog mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden