Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Negotiation Error (OSStatus error -9819) #132

Open
erikvip opened this issue Jan 19, 2011 · 3 comments
Open

SSL Negotiation Error (OSStatus error -9819) #132

erikvip opened this issue Jan 19, 2011 · 3 comments

Comments

@erikvip
Copy link

erikvip commented Jan 19, 2011

Receiving this error when trying to connect to an HTTPS site:

Error Domain=ASIHTTPRequestErrorDomain Code=1 "A connection failure occurred" UserInfo=0x80090e0 {NSUnderlyingError=0x8002d50 "The operation couldn’t be completed.
(OSStatus error -9819.)", NSLocalizedDescription=A connection failure occurred}

The server does not support TLS, only SSLv3. Tracing the SSL handshake in Wireshark, I can see the client is requesting TLS1.0 but the server does not support. The client never 'falls back' to SSLv3 and the connection dies with the above error.

I'm not certain if this is a problem w/ ASIHTTP, as it does not appear to handle the SSL Negotiation (CFStream).

Setting kCFStreamSSLLevel to kCFStreamSocketSecurityLevelSSLv3 resolves the issue for me.

Fix

I've added a property to ASIHTTPRequest so we can specify the SSL security level to use.

Note: I'm new to Objective-C, I could have messed something up...but it works for me.

ASIHTTPRequest.h(365):

// Requested SSL security level.  See: http://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CFSocketStreamRef/Reference/reference.html
CFStringRef *sslSecurityLevel;

ASIHTTPRequest.h(952):

@property (assign) CFStringRef *sslSecurityLevel;

ASIHTTPRequest.m(1146):

// Use requested SSL security level
if ([self sslSecurityLevel] != nil) {
    [sslProperties setObject:(NSString *)[self sslSecurityLevel] forKey:(NSString *)kCFStreamSSLLevel];
}

ASIHTTPRequest.m(4546):

@synthesize sslSecurityLevel;

Example

[request setSslSecurityLevel:(CFStringRef *)kCFStreamSocketSecurityLevelSSLv3];
@aidansteele
Copy link
Contributor

Is there a reason you cannot use kCFStreamSocketSecurityLevelNegotiatedSSL? Its description seems to imply that it should handle falling back to SSL should TLS not be supported.

@erikvip
Copy link
Author

erikvip commented Jan 19, 2011

I tried using kCFStreamSocketSecurityLevelNegotiatedSSL before making the property, but the problem remains.

It does not appear to auto negotiate anything, it only tries TLS and then gives up.

I haven't seen this issue on any other SSL sites (I've only tested a few), just the one I need to connect to exhibits this problem.

But, this site works fine in every other browser (including Mobile Safari) - may be a mis-configured SSL server?

Would be nice to have the option of specifying the SSL version though, just incase it's necessary for somebody (as in my case).

Supported Ciphers

Using the script from here, the supported ciphers on the server are listed below.

I'm not an SSL guru & don't have access to modify this SSL config, but on this particular config, ASIHTTP does not connect without the kCFStreamSocketSecurityLevelSSLv3 option.

Testing ADH-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-SEED-SHA...NO (sslv3 alert handshake failure)
Testing SEED-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES128-SHA...NO (sslv3 alert handshake failure)
Testing AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-DES-CBC3-SHA...YES
Testing ADH-DES-CBC-SHA...YES
Testing EXP-ADH-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing ADH-RC4-MD5...YES
Testing EXP-ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing EDH-RSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing EDH-RSA-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-EDH-RSA-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EDH-DSS-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing EDH-DSS-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-EDH-DSS-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing DES-CBC3-SHA...YES
Testing DES-CBC-SHA...YES
Testing EXP-DES-CBC-SHA...YES
Testing EXP-RC2-CBC-MD5...NO (sslv3 alert handshake failure)
Testing RC4-SHA...YES
Testing RC4-MD5...YES
Testing EXP-RC4-MD5...YES
Testing DES-CBC3-MD5...NO (sslv3 alert handshake failure)
Testing DES-CBC-MD5...NO (sslv3 alert handshake failure)
Testing EXP-RC2-CBC-MD5...NO (sslv3 alert handshake failure)
Testing RC2-CBC-MD5...NO (sslv3 alert handshake failure)
Testing EXP-RC4-MD5...YES
Testing RC4-MD5...YES
Testing NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-MD5...NO (sslv3 alert handshake failure)

@aidansteele
Copy link
Contributor

Perhaps it is a misconfigured SSL server, but this would be beyond me. Just wanted to check that you were aware of the auto-negotiation option.

In any case, I agree: having the ability to specify a version would be handy sometimes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aidansteele @erikvip