NSURLSession/NSURLConnection HTTP load failed (kCF

2019-07-23 13:10发布

问题:

one of my apps cannot connect to it's API server. The logged reason is NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813). So far no luck on finding why or what, but the most frustrating thing is, that this problem appears on some of my test devices. On other everything is fine. I am using NSURLConnection:sendSynchronousRequest:returningResponse:error:, but after some refactoring and trying with NSURLSessionDataTask:dataTaskWithRequest:completionHandler:, the problem still occurs. Also added

- (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
{
    completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
}

and still nothing.....

p.s. even though my first problem is duplicate of many others, my main concern is why this error appears only on ONE of my testing devices (after Settings -> General -> Reset it works fine too, but how to tell Apple "please, reset your testing device"?). The other work perfectly fine.

回答1:

Error -9813 is errSSLNoRootCert. This means that the certificate chain provided by the server does not reach a trusted root (anchor) cert, and is usually caused by missing certificates in the chain.

The reason for the difference from one device to another could be because some devices were able to successfully fetch the missing certificates (OCSP?), because some devices have additional trusted anchor certs that are not present on the other devices for whatever reason, or because some of the certificates in the chain are signed using a key signing algorithm that is no longer accepted on iOS 9 and thus are being ignored.

I would suggest that you contact your TLS certificate vendor and get a new copy of the TLS chain file, update the chain file on the server, restart the server, and see if the problem goes away.

If that doesn't help, please edit your question with a URL that we can test, along with the results of running openssl s_client -connect yourhostname:443 against the host in question.

More tips here:

  • iOS HTTPS requests 101
  • https://developer.apple.com/library/ios/technotes/tn2232/_index.html