主机支持TLS 1.2，AFNetworking握手失败 [英] Host supports TLS 1.2, AFNetworking handshake failing

问题描述

我试图发布到支持TLS 1.2的服务器上-至少当我在浏览器中执行GET时，我可以验证通信是否使用TLS 1.2以及证书是否已通过证书颁发机构的验证。但是，当我尝试使用AFNetworking iOS 9.0（13A4305g）/ Xcode 7-beta4将代码发布到该服务器时，出现握手失败。

I am trying to post to a server that supports TLS 1.2 -- at least when I perform a GET in a browser I can verify that the communication uses TLS 1.2 and that the cert is validated by a cert authority. However, when I try to POST in my code to that server using AFNetworking iOS 9.0 (13A4305g) / Xcode 7-beta4 I'm getting a handshake failure.

AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager];
manager.requestSerializer = [AFHTTPRequestSerializer serializerWithContentType:@"application/x-www-form-urlencoded"];    
manager.responseSerializer = [AFJSONResponseSerializer serializer];    
[manager POST:requestString parameters:@{ @"apiKey" : MY_API_KEY,
                                          @"payload" : [MyParams paramsForPOSTAsJSON] }
  success:^(AFHTTPRequestOperation *operation, NSDictionary *responseDict) {
      ...
} failure:^(AFHTTPRequestOperation *operation, NSError *error) {
      myLog(@"Communication failed: %@", error);
}];

失败：

2015-08-06 15:01:08.398 MyApp[1795:394055] CFNetwork SSLHandshake failed (-9824)
2015-08-06 15:01:08.409 MyApp[1795:394055] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2015-08-06 15:01:08.412 MyApp[1795:393999] MyClass sendDataToServer Communication failed: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." ...

我错过了什么吗？我该如何深入研究？假设这是服务器的问题，而不是代码的问题-我该如何窥探呢？

Am I missing something? How can I dig deeper? Suppose it is a problem with the server and not the code - how could I snoop that?

推荐答案

Steffen使我得到了答案，的确是我需要适当的密码。查看端口上受支持密码的一种简便方法是密码扫描工具。 可以在此处找到受支持的密码。一旦能够在完全配置的网站上进行测试，就不需要任何白名单了。对于没有密码的TLS网站，我可以将 NSThirdPartyExceptionRequiresForwardSecrecy 设置为false。

Steffen led me to the answer, and it was indeed that I needed the appropriate ciphers. An easy way to look at the supported ciphers on a port is the cipherscan tool. The ciphers supported for App Transport Security can be found here. Once I was able to test on a fully configured website, I did not need any kind of whitelisting. For TLS sites without the ciphers, I can set NSThirdPartyExceptionRequiresForwardSecrecy to false.

UPDATE

如果您使用的是OS X El Capitan Beta 3或更高版本，则可以使用以下命令：

If you take beta 3 or above of OS X El Capitan, you can use the following command:

nscurl --verbose --ats-diagnostics <host>

这将告诉您需要哪些条目添加到白名单中才能使连接成功。这有助于解密类型为 CFNetwork SSLHandshake失败（-9801）的SSL失败。

This will tell you what entries you would need to add to your whitelist in order to make the connection succeed. This is a great help in demystifying SSL failures of type CFNetwork SSLHandshake failed (-9801).

这篇关于主机支持TLS 1.2，AFNetworking握手失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！