As it turns out, I believe the Secure Transport TLS session cache is to blame.

I also asked the question on the apple developer forums, and got a response from an Apple person. He pointed me to this Apple sample code readme where it says:

At the bottom of the TLS stack on both iOS and Mac OS X is a component known as Secure Transport. Secure Transport maintains a per-process TLS session cache. When you connect via TLS, the cache stores information about the TLS negotiation so that subsequent connections can connect more quickly. The on-the-wire mechanism is described at the link below.

http://en.wikipedia.org/wiki/Transport_Layer_Security#Resumed_TLS_handshake

This presents some interesting gotchas, especially while you’re debugging. For example, consider the following sequence:

1. You use the Debug tab to set the TLS Server Validation to Disabled.

2. You connect to a site with a self-signed identity. The connection succeeds because you’ve disabled TLS server trust validation. This adds an entry to the Secure Transport TLS session cache.

3. You use the Debug tab to set the TLS Server Validation to Default.

4. You immediately connect to the same site as you did in step 2. This should fail, because of the change in server trust validation policy, but it succeeds because you never receive an NSURLAuthenticationMethodServerTrust challenge. Under the covers, Secure Transport has resumed the TLS session, which means that the challenge never bubbles up to your level.

5. On the other hand, if you delay for 11 minutes between steps 3 and 4, things work as expected (well, fail as expected :-). This is because Secure Transport’s TLS session cache has a timeout of 10 minutes.

In the real world this isn’t a huge problem, but it can be very confusing during debugging. There’s no programmatic way to clear the Secure Transport TLS session cache but, as the cache is per-process, you can avoid this problem during debugging by simply quitting and relaunching your application. Remember that, starting with iOS 4, pressing the Home button does not necessarily quit your application. Instead, you should use quit the application from the recent applications list.

So, based on that, a user would have to either kill their app and restart it or wait more than 10 minutes before sending another request.

I did another google search with this new information and found this Apple technical Q&A article that matches this problem exactly. Near the bottom, it mentions adding a trailing ‘.’ to domain names (and hopefully IP addresses) for requests in order to force a TLS session cache miss (if you can’t modify the server in some way, which I can’t), so I am going to try this and hopefully it will work. I will post my findings after I test it.

### EDIT ###

I tested adding a ‘.’ to the end of the ip address, and the request was still completed successfully.

But I was thinking about the problem in general, and there’s really no reason to force another SSL handshake. In my case, the solution to this problem is to keep a copy of the last known SecCertificateRef that was returned from the server. When making another request to the server, if a cached TLS session is used (connection:didReceiveAuthenticationChallenge: was not called), we know that the saved SecCertificateRef is still valid. If connection:didReceiveAuthenticationChallenge: is called, we can get the new SecCertificateRef at that time.