Ios – FireBase error -9806, SSL error -1200

app-transport-security, firebase, firebase-analytics, ios, ssl

I'm using the new FireBase SDK introduced at I/O 2016 and I'm getting this error after integrating with my app. This happens at app launch.

2016-08-06 06:28:06.237 MyApp[49084:2511094] CFNetwork SSLHandshake failed (-9806)2016-08-06 06:28:06.238 MyApp[49084:2511094] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)2016-08-06 06:28:06.453 MyApp[49084:2511094] CFNetwork SSLHandshake failed (-9806)2016-08-06 06:28:06.454 MyApp[49084:2511094] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)2016-08-06 06:28:06.854 MyApp[49084:2510825] <Firebase/Network/ERROR> Encounter network error. Error: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x7bf93200 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorCodeKey=-9806, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7bc97840>, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7bcf2420 [0x477d1f8]>{type = immutable, count = 3, values = (0 : <cert(0x7bc96990) s: *.googleapis.com i: Google Internet Authority G2>1 : <cert(0x7bc96fb0) s: Google Internet Authority G2 i: GeoTrust Global CA>2 : <cert(0x7bc97360) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>)}}}, _kCFStreamErrorCodeKey=-9806, NSErrorFailingURLStringKey=https://play.googleapis.com/log, NSErrorPeerCertificateChainKey=<CFArray 0x7bcf2420 [0x477d1f8]>{type = immutable, count = 3, values = (0 : <cert(0x7bc96990) s: *.googleapis.com i: Google Internet Authority G2>1 : <cert(0x7bc96fb0) s: Google Internet Authority G2 i: GeoTrust Global CA>2 : <cert(0x7bc97360) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7bc97840>, NSErrorFailingURLKey=https://play.googleapis.com/log}2016-08-06 06:28:06.856 MyApp[49084:] <FIRAnalytics/ERROR> Encounter network error. Error: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x7b968c00 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806, _kCFStreamErrorCodeKey=-9806, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7b9abbb0>, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7b8a2420 [0x477d1f8]>{type = immutable, count = 3, values = (    0 : <cert(0x7b9aaf40) s: *.google-analytics.com i: Google Internet Authority G2>    1 : <cert(0x7b9ab280) s: Google Internet Authority G2 i: GeoTrust Global CA>    2 : <cert(0x7b9ab630) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>)}}}, _kCFStreamErrorCodeKey=-9806, NSErrorFailingURLStringKey=https://app-measurement.com/config/app/1:926356559846:ios:74ac6682756d2bd6?app_instance_id=7590DD8CDAF44A3ABE3F39478A9EB2BE&platform=ios&gmp_version=3201, NSErrorPeerCertificateChainKey=<CFArray 0x7b8a2420 [0x477d1f8]>{type = immutable, count = 3, values = (    0 : <cert(0x7b9aaf40) s: *.google-analytics.com i: Google Internet Authority G2>    1 : <cert(0x7b9ab280) s: Google Internet Authority G2 i: GeoTrust Global CA>    2 : <cert(0x7b9ab630) s: GeoTrust Global CA i: Equifax Secure Certificate Authority>)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7b9abbb0>, NSErrorFailingURLKey=https://app-measurement.com/config/app/1:926356559846:ios:74ac6682756d2bd6?app_instance_id=7590DD8CDAF44A3ABE3F39478A9EB2BE&platform=ios&gmp_version=3201}

Best Solution

This is caused by App Transport Security on iOS 9+. Apple imposed restrictions on SSL certificates that not all servers meet.

If you owned the server that is generating this message, I would advise updating to a more secure, modern SSL server certificate. But since it is Google/Firebase's server, all we can do is disable App Transport Security specifically for this domain.

Here is the part listing the domain:

NSErrorFailingURLStringKey=https://app-measurement.com...

You need to add this domain to your Info.plist file as follows:

<key>NSExceptionDomains</key><dict>    <!-- Firebase/Google Analytics server - Disables App Transport Security for this specific domain -->    <key>app-measurement.com</key>    <dict>        <key>NSExceptionAllowsInsecureHTTPLoads</key>        <true/>    </dict></dict>

Keep in mind that allowing insecure connections from a third-party server does potentially introduce a security vulnerability to your app. However, if you are not sending any sensitive data to the Analytics server (which you shouldn't do anyway), then the exposure should be minimal.

According to Apple's ATS documentation, including any ATS exceptions will trigger a review the next time you submit to the App Store, so you may want to consider that as well.