CFNetwork SSLHandshake failed iOS 9

iOS 9 and OSX 10.11 require TLSv1.2 SSL for all hosts you plan to request data from unless you specify exception domains in your app's Info.plist file.

The syntax for the Info.plist configuration looks like this:

<key>NSAppTransportSecurity</key><dict>  <key>NSExceptionDomains</key>  <dict>    <key>yourserver.com</key>    <dict>      <!--Include to allow subdomains-->      <key>NSIncludesSubdomains</key>      <true/>      <!--Include to allow insecure HTTP requests-->      <key>NSExceptionAllowsInsecureHTTPLoads</key>      <true/>      <!--Include to specify minimum TLS version-->      <key>NSExceptionMinimumTLSVersion</key>      <string>TLSv1.1</string>    </dict>  </dict></dict>

If your application (a third-party web browser, for instance) needs to connect to arbitrary hosts, you can configure it like this:

<key>NSAppTransportSecurity</key><dict>    <!--Connect to anything (this is probably BAD)-->    <key>NSAllowsArbitraryLoads</key>    <true/></dict>

If you're having to do this, it's probably best to update your servers to use TLSv1.2 and SSL, if they're not already doing so. This should be considered a temporary workaround.

As of today, the prerelease documentation makes no mention of any of these configuration options in any specific way. Once it does, I'll update the answer to link to the relevant documentation.

In iOS 10+, the TLS string MUST be of the form "TLSv1.0". It can't just be "1.0". (Sigh)

The following combination of the other Answers works.

Let's say you are trying to connect to a host (YOUR_HOST.COM) that only has TLS 1.0.

Add these to your app's Info.plist

<key>NSAppTransportSecurity</key><dict>    <key>NSExceptionDomains</key>    <dict>        <key>YOUR_HOST.COM</key>        <dict>            <key>NSIncludesSubdomains</key>            <true/>            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>            <true/>            <key>NSTemporaryExceptionMinimumTLSVersion</key>            <string>TLSv1.0</string>            <key>NSTemporaryExceptionRequiresForwardSecrecy</key>            <false/>        </dict>    </dict></dict>

For more info Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11

Curiously, you’ll notice that the connection attempts to change the http protocol to https to protect against mistakes in your code where you may have accidentally misconfigured the URL. In some cases, this might actually work, but it’s also confusing.

This Shipping an App With App Transport Security covers some good debugging tips

ATS Failure

Most ATS failures will present as CFErrors with a code in the -9800 series. These are defined in the Security/SecureTransport.h header

2015-08-23 06:34:42.700 SelfSignedServerATSTest[3792:683731] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

CFNETWORK_DIAGNOSTICS

Set the environment variable CFNETWORK_DIAGNOSTICS to 1 in order to get more information on the console about the failure

nscurl

The tool will run through several different combinations of ATS exceptions, trying a secure connection to the given host under each ATS configuration and reporting the result.

nscurl --ats-diagnostics https://example.com