SSL connections failing with errSSLPeerHandshakeFail

666 views
Skip to first unread message

RyanGregg

unread,
Nov 19, 2011, 12:09:01 PM11/19/11
to ASIHTTPRequest
Recently several users of my app have started having issues connecting
to their servers. I believe this starts when they upgrade to iOS 5 (or
maybe 5.0.1). The error message that comes back indicates
errSSLPeerHandshakeFail, which isn't super clear as to what it means.
If I use NSURLConnection instead of ASIHTTPRequest, the connection
works just fine.

I did some poking around, and found that if I set kCFStreamSSLLevel to
kCFStreamSocketSecurityLevelSSLv3 instead of the default of
kCFStreamSocketSecurityLevelNegotiatedSSL it works just fine. However,
I would have expected the negotiation to fix this, since it seems to
work properly for NSURLConnection.

Anyone else seen this problem or have a better solution? I'm a little
concerned that locking the connection into SSLv3 could break other
connections, so I'm hesitant to make that the default.

Trying to isolate differences in the servers, I noticed that when the
connection fails, Chrome reports the connection as "The connection
uses TLS 1.0. The connection is encrypted using RC4_128, with SHA1 for
message authentication and RSA as the key exchange mechanism." where
for servers that work I see "The connection uses TLS 1.0. The
connection is encrypted using RC4_128, with MD5 for message
authentication and RSA as the key exchange mechanism."

Any thoughts?

Joseph Heenan

unread,
Nov 19, 2011, 4:54:33 PM11/19/11
to asihttp...@googlegroups.com
Hi Ryan,

On 19/11/2011 17:09, RyanGregg wrote:
> Recently several users of my app have started having issues connecting
> to their servers. I believe this starts when they upgrade to iOS 5 (or
> maybe 5.0.1). The error message that comes back indicates
> errSSLPeerHandshakeFail, which isn't super clear as to what it means.
> If I use NSURLConnection instead of ASIHTTPRequest, the connection
> works just fine.
>

Not sure if it matches your exact symptoms, but
http://stackoverflow.com/questions/7792949/ios-5-https-asihttprequest-stop-working
could have some relevant info, particularly the linked post on the Apple
forums:

https://devforums.apple.com/message/537440#537440

Cheers,

Joseph

RyanGregg

unread,
Nov 19, 2011, 8:17:21 PM11/19/11
to ASIHTTPRequest
Perfect! The TN was exactly what I was looking for. Looks like apps
linked against iOS 5 SDK are "auto upgraded" to TLS 1.2, which doesn't
appear to be widely supported by a number of servers (including most
Apple servers according to the TN). Seems like the right fix is to
intelligently downgrade from 1.2 -> 1.1 -> 1.0 if you receive
failures. I'm just going to code my app for now to use 1.0 and then
figure out a workaround later.

On Nov 19, 1:54 pm, Joseph Heenan <jos...@heenan.me.uk> wrote:
> Hi Ryan,
>
> On 19/11/2011 17:09, RyanGregg wrote:
>
> > Recently several users of my app have started having issues connecting
> > to their servers. I believe this starts when they upgrade to iOS 5 (or
> > maybe 5.0.1). The error message that comes back indicates
> > errSSLPeerHandshakeFail, which isn't super clear as to what it means.
> > If I use NSURLConnection instead of ASIHTTPRequest, the connection
> > works just fine.
>

> Not sure if it matches your exact symptoms, buthttp://stackoverflow.com/questions/7792949/ios-5-https-asihttprequest...

Reply all
Reply to author
Forward
0 new messages