[SOLVED] Why would IOS SSL handshake fail with a trusted certificate at the other end

Why would IOS SSL handshake fail with a trusted certificate at the other end

My swift iOS application is not able to register for remote notification with aerogear unified push server giving errors that looks like the certificate on the server is a self signed one although it is a regular trusted one signed by a certification authority.

this happens during didRegisterForRemoteNotificationsWithDeviceToken call in the delegate where the registration itself is done according to the aerogear push server examples :

        let registration = AGDeviceRegistration(serverURL: NSURL(string: dynConfig.pushURL));
            registration.registerWithClientInfo({ (clientInfo:AGClientDeviceInformation!) -> Void in
...

Here is the error trace

2016-04-08 16:22:35.158 Myapp[284:35797] Registration :https://server.mydomain.net:8443/ag-push/
2016-04-08 16:24:23.412 Myapp[284:35797] OK
2016-04-08 16:24:23.419 Myapp[284:35797] _BSMachError: (os/kern) invalid capability (20)
2016-04-08 16:24:23.420 Myapp[284:35797] _BSMachError: (os/kern) invalid name (15)
2016-04-08 16:24:23.553 Myapp[284:35797] OK
2016-04-08 16:24:23.558 Myapp[284:35797] OK
2016-04-08 16:24:23.574 Myapp[284:36046] CFNetwork SSLHandshake failed (-9824)
2016-04-08 16:24:23.615 Myapp[284:36046] CFNetwork SSLHandshake failed (-9824)
2016-04-08 16:24:23.662 Myapp[284:36046] CFNetwork SSLHandshake failed (-9824)
2016-04-08 16:24:23.713 Myapp[284:36046] CFNetwork SSLHandshake failed (-9824)
2016-04-08 16:24:23.716 Myapp[284:36046] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2016-04-08 16:24:38.229 Myapp[284:35797] Push registration error :Error Domain=NSURLErrorDomain Code=-1200 "Une erreur SSL s’est produite et il est impossible d’établir une connexion sécurisée avec le serveur." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Souhaitez-vous tout de même vous connecter au serveur ?, NSUnderlyingError=0x12cdf9ee0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=Une erreur SSL s’est produite et il est impossible d’établir une connexion sécurisée avec le serveur., NSErrorFailingURLKey=https://server.mydomain.net:8443/ag-push/rest/registry/device, NSErrorFailingURLStringKey=https://server.mydomain.net:8443/ag-push/rest/registry/device, _kCFStreamErrorDomainKey=3}

Solution

Your API call seems to be blocked by the App Transport Security. Try adding the following to your .plist file:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>mydomain.net</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <false/>
        </dict>
    </dict>
</dict>