"CFNetwork SSLHandshake失败(-9807)"在“例外域"中具有本地IP的服务器; [英] "CFNetwork SSLHandshake failed (-9807)" with local IP in "Exception Domains"
问题描述
我正在尝试在OS X和iOS(8.1版)上的openssl之间使用SSL TCP连接. Exception Domains具有192.168.0.104.
I'm trying to use SSL TCP connection between openssl on OS X and iOS(8.1 version). Exception Domains has 192.168.0.104.
快速的iOS代码:
class SSLSocketLite {
// The input stream.
private var inStream: NSInputStream?
// The output stream.
private var outStream: NSOutputStream?
// The host to connect to.
private var host: String
// The port to connect on.
private var port: Int
init(inHost:String, inPort:Int) {
host = inHost
port = inPort
NSStream.getStreamsToHostWithName(host, port: port, inputStream: &inStream, outputStream: &outStream)
}
func Open() {
inStream?.open()
outStream?.open()
inStream?.setProperty(NSStreamSocketSecurityLevelTLSv1, forKey: NSStreamSocketSecurityLevelKey)
outStream?.setProperty(NSStreamSocketSecurityLevelTLSv1, forKey: NSStreamSocketSecurityLevelKey)
inStream?.scheduleInRunLoop(.mainRunLoop(), forMode: NSDefaultRunLoopMode)
outStream?.scheduleInRunLoop(.mainRunLoop(), forMode: NSDefaultRunLoopMode)
}
func Read() -> String! {
var buffer = Array<UInt8>(count:1024, repeatedValue: 0)
if inStream!.hasBytesAvailable {
inStream!.read(&buffer, maxLength: 1024)
let responseString = NSString(bytes: buffer, length: buffer.count, encoding: NSUTF8StringEncoding) as! String
return responseString
}
return nil
}
func Write(msg:String) {
let data:NSData = msg.dataUsingEncoding(NSUTF8StringEncoding, allowLossyConversion: false)!
outStream!.write(UnsafePointer(data.bytes), maxLength: data.length)
}
func Close() {
inStream?.close()
outStream?.close()
}
}
class ViewController: UIViewController {
override func viewDidLoad() {
super.viewDidLoad()
let sslsock = SSLSocketLite(inHost: "192.168.0.104", inPort: 1678)
sslsock.Open()
}
override func didReceiveMemoryWarning() {
super.didReceiveMemoryWarning()
// Dispose of any resources that can be recreated.
}
}
在OS X上,我使用以下方法创建了证书和密钥:
On the OS X side I created certificate and key using:
openssl req -x509 -newkey rsa:1024 -keyout key.key -out key.crt -days 365 -nodes
并使用以下命令启动TCP SSL服务器:
and launched TCP SSL server using:
openssl s_server -key key.key -cert key.crt -accept 1678
之后,我在iOS端获得了CFNetwork SSLHandshake failed (-9807),在OS X端获得了bad gethostbyaddr.我该如何解决这个问题?
After that I got CFNetwork SSLHandshake failed (-9807) on the iOS side and bad gethostbyaddr on the OS X side. How can I solve this issue?
UPD:
1. touch openssl-ca.cnf
2.复制粘贴到openssl-ca.cnf中.一行更改了:
2.Copy-pasted in openssl-ca.cnf. One line changed:
commonName_default = localhost
3. openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
4. touch openssl-server.cnf
5.复制粘贴到openssl-server.cnf中.更改了两行:
5.Copy-pasted in openssl-server.cnf. Two lines changed:
commonName_default = localhost
DNS.1 = localhost
6. openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out servercert.csr -outform PEM
7.在openssl-ca.cnf中添加了2 +1部分:
7.Added 2 +1 sections in openssl-ca.cnf:
[ CA_default ]
...
base_dir = .
certificate = $base_dir/cacert.pem # The CA certifcate
private_key = $base_dir/cakey.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
...
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
8. touch index.txt
9. echo '01' > serial.txt
10. openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles servercert.csr
11. openssl x509 -in servercert.pem -inform PEM -out servercert.der -outform DER
12.在iOS项目中添加了servercert.der
12.Added servercert.der in iOS project
13. let sslsock = SSLSocketLite(inHost: "localhost", inPort: 1678)
14.Exception域-> + localhost
14.Exception Domains -> +localhost
15. openssl s_server -key serverkey.pem -cert servercert.pem -accept 1678
openssl-ca.cnf的最终版本:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 1000 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
base_dir = .
certificate = $base_dir/cacert.pem # The CA certifcate
private_key = $base_dir/cakey.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
####################################################################
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Maryland
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = Organization Name (eg, company)
organizationName_default = Test CA, Limited
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = Server Research Department
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ ca_extensions ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
openssl-server.cnf的最终版本:
Final version of openssl-server.cnf:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 2048
default_keyfile = serverkey.pem
distinguished_name = server_distinguished_name
req_extensions = server_req_extensions
string_mask = utf8only
####################################################################
[ server_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MD
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = Organization Name (eg, company)
organizationName_default = Test CA, Limited
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = localhost
iOS输出:
SwiftPlayground [917:31077] CFNetwork SSLHandshake失败(-9807)
SwiftPlayground[917:31077] CFNetwork SSLHandshake failed (-9807)
OpenSSL s_server输出(什么都没有发生):
OpenSSL s_server output(nothing happened):
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
推荐答案
我编写了一个程序包来帮助解决此问题,不幸的是,它是Obj-C,但是我确实有资源可以用来创建可使用新的iOS 13 TLS限制.这是用于创建CA,中间CA和服务器/用户证书的教程的链接.
I wrote a package to help with handling this problem, unfortunately for you it is Obj-C, but I do have resources on there namely for creating certificates that will work with the new iOS 13 TLS restrictions. Here is a link to a tutorial for creating a CA, intermediate CA, and server/user certificates.
https://jamielinux.com/docs/openssl-certificate-authority /introduction.html
如果您完全按照它进行操作,您将拥有有效的证书,但本教程未考虑到最新的更改之一.但是,如果您使用我的配置文件,那么只要您按照本教程的过程进行操作,我就进行了必要的细微更改,以使证书可以正常工作-在这里您可以找到这些配置文件:
If you follow it exactly you will have working certificates, except that the tutorial doesn't take into account one of the most recent changes. However, if you use my configuration files, I made the necessary small changes to make it so that the certificates will work, if you just follow the process of the tutorial - here you can find those configuration files:
https://github.com/eamonwhiter73/IOSObjCWebSockets
您将不得不对配置文件进行一些小的更改-您的基本路径,以及DNS名称始终位于每个文件的底部.
You will have to make a few small changes to the configuration files - your base path, and the DNS names all the way at the bottom of each file.
这篇关于"CFNetwork SSLHandshake失败(-9807)"在“例外域"中具有本地IP的服务器;的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
