What is the reason for NSURLSession Trust evaluation fail

Question

yangyang_2020 OP

Created Jul ’24

Replies 1

Boosts 0

Participants 2

Hi All:
Our use NSURLSession dataTaskWithRequest to connect our https server, However, in one macOS, sometimes, we encounter these error when TLS handshake.

 default	2024-06-24 17:52:03.054447 +0900	test-app	boringssl_context_info_handler(2069) [C1209.1.1:2][0x7f9067117b10] Client handshake state: TLS client read_server_certificate
info	2024-06-24 17:52:03.054462 +0900	test-app	boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
info	2024-06-24 17:52:03.054552 +0900	test-app	boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
info	2024-06-24 17:52:03.054557 +0900	test-app	boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
info	2024-06-24 17:52:03.054590 +0900	test-app	boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
default	2024-06-24 17:52:03.054769 +0900	test-app	boringssl_context_info_handler(2069) [C1209.1.1:2][0x7f9067117b10] Client handshake state: TLS client read_certificate_status
default	2024-06-24 17:52:03.054773 +0900	test-app	boringssl_context_info_handler(2069) [C1209.1.1:2][0x7f9067117b10] Client handshake state: TLS client verify_server_certificate
default	2024-06-24 17:52:03.055123 +0900	test-app	boringssl_context_evaluate_trust_async(1635) [C1209.1.1:2][0x7f9067117b10] Performing external trust evaluation
default	2024-06-24 17:52:03.055308 +0900	test-app	boringssl_context_evaluate_trust_async_external(1620) [C1209.1.1:2][0x7f9067117b10] Asyncing for external verify block
info	2024-06-24 17:52:03.055316 +0900	test-app	boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: certificate evaluation result pending [16]
default	2024-06-24 17:52:03.055466 +0900	test-app	Connection 1209: asked to evaluate TLS Trust
default	2024-06-24 17:52:03.056082 +0900	test-app	Task <407E11A6-12E8-4818-82B4-BC5B4909130F>.<1405> auth completion disp=1 cred=0x0
default	2024-06-24 17:52:03.064388 +0900	test-app	Trust evaluate failure: [leaf SSLHostname TemporalValidity]
default	2024-06-24 17:52:03.064390 +0900	test-app	System Trust Evaluation yielded status(-9802)
error	2024-06-24 17:52:03.064392 +0900	test-app	ATS failed system trust
error	2024-06-24 17:52:03.064393 +0900	test-app	Connection 1209: system TLS Trust evaluation failed(-9802)
default	2024-06-24 17:52:03.064393 +0900	test-app	Connection 1209: TLS Trust result -9802
error	2024-06-24 17:52:03.064395 +0900	test-app	Connection 1209: TLS Trust encountered error 3:-9802
error	2024-06-24 17:52:03.064397 +0900	test-app	Connection 1209: encountered error(3:-9802)
default	2024-06-24 17:52:03.064400 +0900	test-app	Connection 1209: cleaning up
default	2024-06-24 17:52:03.064404 +0900	test-app	Connection 1209: summary for unused connection {protocol="(null)", domain_lookup_duration_ms=0, connect_duration_ms=0, secure_connection_duration_ms=0, private_relay=false, idle_duration_ms=0}
default	2024-06-24 17:52:03.064438 +0900	test-app	[C1209 63DEF1F8-AC5F-4285-B32B-D3AE707C513A Hostname#229f20b3:443 tcp, url hash: 693c58e9, tls, definite, attribution: developer] cancel

I found TLS Trust evaluation failed(-9802) this error.

I checked server's certificate, it is ok.
On this macOS, this issue happens sometimes, not always.

Thanks for your feedback.

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’24

Error -9802 is errSSLFatalAlert. That isn’t super helpful because it can be the result of either a server- or client-side problem. OTOH, this is interesting:

Trust evaluate failure: [leaf SSLHostname TemporalValidity]

This indicates two problems with the leaf certificate:

SSLHostname indicates that either that the certificate didn’t contain a Subject Alternative Name extension or that the value there didn’t match the host you connected to.
TemporalValidity indicates that the certificate’s valid date range doesn’t include the current time.

Written by yangyang_2020 in 758558021

On this macOS, this issue happens sometimes, not always.

In my experience issues like this are usually caused by server-side problems. For example, if you have a group of servers behind a redirector, one of those servers may be having a problem. Or you might have encountered a bug in the redirector itself.

The best way to investigate this is to record a packet trace to see exactly what certificate is being returned to the client by the server. I expect that you’ll find that, when you see this failure, the server has returned the wrong certificate.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

	default 2024-06-24 17:52:03.054447 +0900 test-app boringssl_context_info_handler(2069) [C1209.1.1:2][0x7f9067117b10] Client handshake state: TLS client read_server_certificate
	info 2024-06-24 17:52:03.054462 +0900 test-app boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
	info 2024-06-24 17:52:03.054552 +0900 test-app boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
	info 2024-06-24 17:52:03.054557 +0900 test-app boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
	info 2024-06-24 17:52:03.054590 +0900 test-app boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: waiting for data to read [2]
	default 2024-06-24 17:52:03.054769 +0900 test-app boringssl_context_info_handler(2069) [C1209.1.1:2][0x7f9067117b10] Client handshake state: TLS client read_certificate_status
	default 2024-06-24 17:52:03.054773 +0900 test-app boringssl_context_info_handler(2069) [C1209.1.1:2][0x7f9067117b10] Client handshake state: TLS client verify_server_certificate
	default 2024-06-24 17:52:03.055123 +0900 test-app boringssl_context_evaluate_trust_async(1635) [C1209.1.1:2][0x7f9067117b10] Performing external trust evaluation
	default 2024-06-24 17:52:03.055308 +0900 test-app boringssl_context_evaluate_trust_async_external(1620) [C1209.1.1:2][0x7f9067117b10] Asyncing for external verify block
	info 2024-06-24 17:52:03.055316 +0900 test-app boringssl_session_handshake_incomplete(97) [C1209.1.1:2][0x7f9067117b10] Handshake incomplete: certificate evaluation result pending [16]
	default 2024-06-24 17:52:03.055466 +0900 test-app Connection 1209: asked to evaluate TLS Trust
	default 2024-06-24 17:52:03.056082 +0900 test-app Task <407E11A6-12E8-4818-82B4-BC5B4909130F>.<1405> auth completion disp=1 cred=0x0
	default 2024-06-24 17:52:03.064388 +0900 test-app Trust evaluate failure: [leaf SSLHostname TemporalValidity]
	default 2024-06-24 17:52:03.064390 +0900 test-app System Trust Evaluation yielded status(-9802)
	error 2024-06-24 17:52:03.064392 +0900 test-app ATS failed system trust
	error 2024-06-24 17:52:03.064393 +0900 test-app Connection 1209: system TLS Trust evaluation failed(-9802)
	default 2024-06-24 17:52:03.064393 +0900 test-app Connection 1209: TLS Trust result -9802
	error 2024-06-24 17:52:03.064395 +0900 test-app Connection 1209: TLS Trust encountered error 3:-9802
	error 2024-06-24 17:52:03.064397 +0900 test-app Connection 1209: encountered error(3:-9802)
	default 2024-06-24 17:52:03.064400 +0900 test-app Connection 1209: cleaning up
	default 2024-06-24 17:52:03.064404 +0900 test-app Connection 1209: summary for unused connection {protocol="(null)", domain_lookup_duration_ms=0, connect_duration_ms=0, secure_connection_duration_ms=0, private_relay=false, idle_duration_ms=0}
	default 2024-06-24 17:52:03.064438 +0900 test-app [C1209 63DEF1F8-AC5F-4285-B32B-D3AE707C513A Hostname#229f20b3:443 tcp, url hash: 693c58e9, tls, definite, attribution: developer] cancel