I've got an iOS app which uses SSL/HTTPS to communicate with a server. The server is providing a certificate that works over TLSv1.2 (the main requirement of App Transport Security). An example URL that demonstrates this (where the TLSv1.2 can be verified by checking the certificate) is https://api.branon.co.uk/checkOnline.

However, the app is throwing errors relating to the App Transport Layer - errors that, when Googled - imply it's because the server isn't working over TLSv1.2. An example error is:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

and:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

I even added a bunch of exceptions to the plist file, such as:

<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key><my top level domain - the app uses a subdomain - allowed below></key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
        </dict>
    </dict>
</dict>
</plist>

but this doesn't change the result.

The certificate used is a free certificate issued from StartCom. My nginx config is below (just for reference).

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    ssl on;
    ssl_certificate /root/ssl/<domain>.crt;
    ssl_certificate_key /root/ssl/server.key;
    server_name api.<domain>;
    access_log /var/log/nginx/api.access.log;
    error_log /var/log/nginx/api.error.log;
    location ~ ^/([a-zA-Z]+)$ {
        proxy_pass http://127.0.0.1:5000/$1;
    }
}

Does anybody have any idea why this is happening?

Thanks!

Update: Following the results of @Paulw11's suggested test (below) running nscurl, I decided just to try disabling App Transport Security entirely. I changed the App Transport Security dictionary in my plist to the below:

<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

and am still getting the same error! So if it's not App Transport Security, what could be causing this? That error I'm getting again is: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

The server does not provide a complete certificate chain in its SSL/TLS handshake. While some clients can handle this and build out a trust chain, others cannot.

You can find the missing intermediate certificate via https://whatsmychaincert.com/?api.branon.co.uk and serve it along with your site's certificate in your SSL configuration in nginx.

Do remember to remove any ATS exceptions that you may have put in place!

The format of the keys I use to allow older versions of TLS (for amazonaws, for example) looks like this:

<key>NSIncludesSubdomains</key>
<string>NO</string>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<string>NO</string>

The rest of the structure looks the same. At one point, we had this at the root level.

<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>