Comcast Advanced Security blocks Storage by default on some networks (b/149740656)

[REQUIRED] Step 1: Describe your environment

  • Xcode version: 11.3.1 (11C504)
  • Firebase SDK version: 6.17.0 (fails for multiple versions)
  • Firebase Component: Storage
  • Component version: 3.5.0
  • Installation method: CocoaPods

[REQUIRED] Step 2: Describe the problem

Loading data from Storage using imageView.sd_setImage or using downloadURL causes SSL failure and failure to load data. I’ve appended the log output at the bottom of this bug report (I anonymized the project URL). The code I have used for loading images for our app has not changed in months, but stopped working yesterday. It seems to work still for the simulator on iOS 11.4, but not 12.2 or 13.3. I was also able to reproduce with a brand new project and one-view app.

I have tried fixing it with App Transport Security Settings – Allow Arbitrary Loads = YES – this does not fix it.

The error looks like this:

2020-02-16 09:52:21.432162-0800 FirebaseDo[92100:985470] [BoringSSL] boringssl_context_error_print(1862) boringssl ctx 0x6000039f0390: 140415105779912:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/tls_record.cc:242:
2020-02-16 09:52:21.434125-0800 FirebaseDo[92100:985470] [BoringSSL] boringssl_session_handshake_error_print(111) [C2.1:2][0x7fb4f5c08380] 140415105779912:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/tls_record.cc:242:
2020-02-16 09:52:21.434182-0800 FirebaseDo[92100:985470] [BoringSSL] nw_protocol_boringssl_handshake_negotiate_proceed(726) [C2.1:2][0x7fb4f5c08380] handshake failed at state 12288
2020-02-16 09:52:21.434931-0800 FirebaseDo[92100:985470] Connection 2: received failure notification
2020-02-16 09:52:21.435047-0800 FirebaseDo[92100:985470] Connection 2: failed to connect 3:-9858, reason -1
2020-02-16 09:52:21.435118-0800 FirebaseDo[92100:985470] Connection 2: encountered error(3:-9858)
2020-02-16 09:52:21.480842-0800 FirebaseDo[92100:985470] [BoringSSL] boringssl_session_handshake_error_print(111) [C4.1:2][0x7fb4f0e05380] 140415105779912:error:10000118:SSL routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/ssl_versions.cc:234:
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."

Full log is at the end.

Steps to reproduce:

To reproduce, simply create a new project that’s hooked up to a Firebase project where you’ve uploaded an image or some other data – I used an image.

Create a one-view app with a button that loads an image from Firebase Storage into an imageview. I’ve provided our AppDelegate and ViewController swift code below.

I have tried fixing it with App Transport Security Settings – Allow Arbitrary Loads = YES – this does not fix it.

Relevant Code:

AppDelegate.swift

...
func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
        // Override point for customization after application launch.
        FirebaseApp.configure()
        return true
    }
...

ViewController.swift

import UIKit
import Firebase
import FirebaseUI
class ViewController: UIViewController, FUIAuthDelegate {
    @IBOutlet weak var executeSample: UIButton!
    @IBOutlet weak var imageView: UIImageView!
    @IBAction func execute(_ sender: Any) {
        Auth.auth().signInAnonymously() { (authResult, error) in
            if let error = error {
                print("Error: \(error)")
            }
            guard let user = authResult?.user else { return }
            let isAnonymous = user.isAnonymous  // true
            let uid = user.uid
            let store = Storage.storage()
            let storeRef = store.reference()
            let coverArt = storeRef.child("cover_art.jpg")
            self.imageView.sd_setImage(with: coverArt)
        }
    }
    override func viewDidLoad() {
        super.viewDidLoad()
        // Do any additional setup after loading the view, typically from a nib.
    }
    override func didReceiveMemoryWarning() {
        super.didReceiveMemoryWarning()
        // Dispose of any resources that can be recreated.
    }
}

Full Logs:

2020-02-16 09:52:10.800736-0800 FirebaseDo[92100:985334] <Warning>: Please set a value for FacebookAutoLogAppEventsEnabled. Set the flag to TRUE if you want to collect app install, app launch and in-app purchase events automatically. To request user consent before collecting data, set the flag value to FALSE, then change to TRUE once user consent is received. Learn more: https://developers.facebook.com/docs/app-events/getting-started-app-events-ios#disable-auto-events.
2020-02-16 09:52:10.800884-0800 FirebaseDo[92100:985334] <Warning>: You haven't set a value for FacebookAdvertiserIDCollectionEnabled. Set the flag to TRUE if you want to collect Advertiser ID for better advertising and analytics results. To request user consent before collecting data, set the flag value to FALSE, then change to TRUE once user consent is received. Learn more: https://developers.facebook.com/docs/app-events/getting-started-app-events-ios#disable-auto-events.
2020-02-16 09:52:10.981648-0800 FirebaseDo[92100:985468] 6.17.0 - [Firebase/Analytics][I-ACS023007] Analytics v.60202000 started
2020-02-16 09:52:10.981841-0800 FirebaseDo[92100:985468] 6.17.0 - [Firebase/Analytics][I-ACS023008] To enable debug logging set the following application argument: -FIRAnalyticsDebugEnabled (see http://goo.gl/RfcP7r)
2020-02-16 09:52:11.002604-0800 FirebaseDo[92100:985474] 6.17.0 - [Firebase/Analytics][I-ACS031025] Analytics screen reporting is enabled. Call +[FIRAnalytics setScreenName:setScreenClass:] to set the screen name or override the default screen class name. To disable screen reporting, set the flag FirebaseScreenReportingEnabled to NO (boolean) in the Info.plist
2020-02-16 09:52:11.005015-0800 FirebaseDo[92100:985475] 6.17.0 - [Firebase/Analytics][I-ACS023012] Analytics collection enabled
2020-02-16 09:52:11.030681-0800 FirebaseDo[92100:985334] FBSDKLog: Missing [FBSDKAppEvents appID] for [FBSDKAppEvents publishInstall:]
2020-02-16 09:52:11.031954-0800 FirebaseDo[92100:985334] FBSDKLog: Missing [FBSDKAppEvents appEventsState.appID] for [FBSDKAppEvents flushOnMainQueue:]
2020-02-16 09:52:21.432076-0800 FirebaseDo[92100:985470] [BoringSSL] boringssl_context_handle_fatal_alert(1872) [C2.1:2][0x7fb4f5c08380] write alert, level: fatal, description: protocol version
2020-02-16 09:52:21.432162-0800 FirebaseDo[92100:985470] [BoringSSL] boringssl_context_error_print(1862) boringssl ctx 0x6000039f0390: 140415105779912:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/tls_record.cc:242:
2020-02-16 09:52:21.434125-0800 FirebaseDo[92100:985470] [BoringSSL] boringssl_session_handshake_error_print(111) [C2.1:2][0x7fb4f5c08380] 140415105779912:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/tls_record.cc:242:
2020-02-16 09:52:21.434182-0800 FirebaseDo[92100:985470] [BoringSSL] nw_protocol_boringssl_handshake_negotiate_proceed(726) [C2.1:2][0x7fb4f5c08380] handshake failed at state 12288
2020-02-16 09:52:21.434931-0800 FirebaseDo[92100:985470] Connection 2: received failure notification
2020-02-16 09:52:21.435047-0800 FirebaseDo[92100:985470] Connection 2: failed to connect 3:-9858, reason -1
2020-02-16 09:52:21.435118-0800 FirebaseDo[92100:985470] Connection 2: encountered error(3:-9858)
2020-02-16 09:52:21.458303-0800 FirebaseDo[92100:985470] [BoringSSL] boringssl_context_handle_fatal_alert(1872) [C3.1:2][0x7fb4f5e02980] write alert, level: fatal, description: protocol version
2020-02-16 09:52:21.458407-0800 FirebaseDo[92100:985470] [BoringSSL] boringssl_context_error_print(1862) boringssl ctx 0x6000039e06e0: 140415105779912:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/tls_record.cc:242:
2020-02-16 09:52:21.458685-0800 FirebaseDo[92100:985470] [BoringSSL] boringssl_session_handshake_error_print(111) [C3.1:2][0x7fb4f5e02980] 140415105779912:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/tls_record.cc:242:
2020-02-16 09:52:21.458760-0800 FirebaseDo[92100:985470] [BoringSSL] nw_protocol_boringssl_handshake_negotiate_proceed(726) [C3.1:2][0x7fb4f5e02980] handshake failed at state 12288
2020-02-16 09:52:21.459937-0800 FirebaseDo[92100:985470] Connection 3: received failure notification
2020-02-16 09:52:21.460097-0800 FirebaseDo[92100:985470] Connection 3: failed to connect 3:-9858, reason -1
2020-02-16 09:52:21.460164-0800 FirebaseDo[92100:985470] Connection 3: encountered error(3:-9858)
2020-02-16 09:52:21.480842-0800 FirebaseDo[92100:985470] [BoringSSL] boringssl_session_handshake_error_print(111) [C4.1:2][0x7fb4f0e05380] 140415105779912:error:10000118:SSL routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/ssl_versions.cc:234:
2020-02-16 09:52:21.480986-0800 FirebaseDo[92100:985470] [BoringSSL] nw_protocol_boringssl_handshake_negotiate_proceed(726) [C4.1:2][0x7fb4f0e05380] handshake failed at state 0
2020-02-16 09:52:21.482421-0800 FirebaseDo[92100:985470] Connection 4: received failure notification
2020-02-16 09:52:21.482551-0800 FirebaseDo[92100:985470] Connection 4: failed to connect 3:-9858, reason -1
2020-02-16 09:52:21.482665-0800 FirebaseDo[92100:985470] Connection 4: encountered error(3:-9858)
2020-02-16 09:52:21.485367-0800 FirebaseDo[92100:985470] Task <B7521350-AF90-43FE-AECD-73B4815671E8>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9858])
2020-02-16 09:52:21.488973-0800 FirebaseDo[92100:985470] Task <B7521350-AF90-43FE-AECD-73B4815671E8>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://firebasestorage.googleapis.com/v0/b/sample-project-**_<IDENTIFIER>_**.appspot.com/o/cover_art.jpg?alt=media, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <B7521350-AF90-43FE-AECD-73B4815671E8>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <B7521350-AF90-43FE-AECD-73B4815671E8>.<1>"
), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://firebasestorage.googleapis.com/v0/b/sample-project-**_<IDENTIFIER>_**.appspot.com/o/cover_art.jpg?alt=media, NSUnderlyingError=0x600003568930 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9858, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9858}}, _kCFStreamErrorCodeKey=-9858}

11 thoughts on “Comcast Advanced Security blocks Storage by default on some networks (b/149740656)

  1. Having checked my Comcast gateway, I noticed Advanced Security was enabled and that it had labeled firebase.googleapis.com as a threat. I disabled the security feature and restarted the gateway and now I can connect and download from Storage.

    While this works for me, it is very scary to think that my users who have comcast with their new Advanced Security feature are going to be blocked from downloading from Firebase Storage. I had my friend do the same on his gateway and it is now working for him at the other location.

  2. Yup, I hit the same exact issue. And after banging my head with different ATS configurations to no avail, I stumbled on this issue.
    I also use comcast, I am in Seattle WA and also have my Firebase set up in us-central.

    Thanks @dloker for your investigations, it also worked for me when I tried using my cellular “personal hotspot”.

    Here’s a screenshot from my gateway app:
    image

  3. Same issue for my web app users with Comcast. The first reports from my users came early this week Monday 17th.

    The console log puts this error out when I’m using .getDownloadURL() firebase storage function.
    Failed to load resource: net::ERR_SSL_PROTOCOL_ERROR breadcrumbs.js:375

    Tested on multiple browsers.
    Hope this issue can get fixed soon

  4. @morganchen12 much appreciated that you’re keeping us in the loop.

    I spent quite a long time over the past couple days trying to track down a root cause before finding this issue. Any chance this could be bubbled up on the Firebase system status page? Even though the root cause isn’t with Google itself, I’m sure many would appreciate acknowledgment in a more official and easy to find location.

  5. I can also confirm it works now for myself with XFi Advanced Security enabled. I did not have to reboot the router, though.

  6. Yes, they are getting a firebase storage error “max retry time for operation exceeded please try again” when they connect through their corporate network. There are a bunch of big companies that use those firewalls.

    I already filed a support ticket with Firebase