iOS 11、12和13已安装的证书不受自动信任(自签名) [英] iOS 11, 12, and 13 installed certificates not trusted automatically (self signed)
问题描述
在内部网络上,我们使用自签名的CA证书.从Safari到我们的iOS产品,一直到iOS 10,它一直运行良好.我们只需在任何新设备或模拟器上安装CA证书,一切都可以使用,即使使用ATS也可以.这样就可以访问我们所有的内部测试服务器,而不必分别信任每个服务器.
On our internal network, we use a self-signed CA certificate. This has worked fine for years, in both Safari and our iOS product, all the way through iOS 10. We simply install the CA certificate on any new device or simulator and everything works, even with ATS. This allows access to all of our internal test servers without having to trust each server individually.
从iOS 11开始,已安装的CA证书不再允许Safari或我们的应用程序信任任何服务器的证书.我们收到以下相关详细信息,并为我们的应用启用了CFNETWORK_DIAGNOSTICS:
Starting with iOS 11 the installed CA certificate no longer allows Safari or our app to trust the certificate for any of the servers. We receive the following relevant details with CFNETWORK_DIAGNOSTICS enabled for our app:
Error Domain = kCFErrorDomainCFNetwork代码= -1200
_kCFNetworkCFStreamSSLErrorOriginalValue = -9802
_kCFStreamErrorDomainKey = 3
_kCFStreamErrorCodeKey = -9802
NSLocalizedDescription =发生SSL错误,无法建立与服务器的安全连接.
NSLocalizedRecoverySuggestion =您是否仍要连接到服务器?
Error Domain=kCFErrorDomainCFNetwork Code=-1200
_kCFNetworkCFStreamSSLErrorOriginalValue=-9802
_kCFStreamErrorDomainKey=3
_kCFStreamErrorCodeKey=-9802
NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.
NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?
我花了大量时间尝试解决此问题,检查了StackOverflow和其他Web站点.尽管我们在应用程序中使用了AFNetworking,但这似乎无关紧要,因为Safari不再通过CA信任这些服务器.通过NSAllowsArbitraryLoads禁用ATS可以访问服务器,但这显然不是解决方案.
I spent considerable time trying to resolve this issue, scouring StackOverflow and the rest of the web. Although we use AFNetworking in our app, that seems to be irrelevant, as Safari no longer trusts these servers via the CA. Disabling ATS via NSAllowsArbitraryLoads allows access to the servers, but obviously isn't a solution.
我们的-URLSession:didReceiveChallenge:completionHandler代码未做任何更改,并且我们已经通过challenge.protectionSpace.serverTrust正确(工作了多年)实施挑战响应.
No changes have been made to our -URLSession:didReceiveChallenge:completionHandler code, and we have a proper (worked for years) implementation of challenge response via challenge.protectionSpace.serverTrust.
我已经以各种方式重新评估和测试了CA和服务器证书,它们在除iOS 11之外的任何地方都有效.
I have re-evaluated and tested both the CA and server certificates every way I can think of, and they work everywhere except iOS 11. What might have changed in ATS for iOS 11 that could cause this issue?
推荐答案
在撰写此问题时,我找到了答案.从Safari安装CA不再自动信任它.我必须从证书信任设置"面板中手动信任它(也在
While writing this question, I discovered the answer. Installing a CA from Safari no longer automatically trusts it. I had to manually trust it from the Certificate Trust Settings panel (also mentioned in this question).
我曾辩论取消这个问题,但我认为拥有一些相关代码并记录某人可能正在寻找的详细信息可能会有所帮助.另外,直到iOS 11我才遇到这个问题.我什至回过头来再次确认它可以通过iOS 10自动运行.
I debated canceling the question, but I thought it might be helpful to have some of the relevant code and log details someone might be looking for. Also, I never encountered the issue until iOS 11. I even went back and reconfirmed that it automatically works up through iOS 10.
我以前从未需要触摸过该设置面板,因为所有安装的证书都是自动受信任的.也许它将随着iOS 11的发布而改变,但我对此表示怀疑.希望这可以节省我浪费的时间.
I've never needed to touch that settings panel before, because any installed certificates were automatically trusted. Maybe it will change by the time iOS 11 ships, but I doubt it. Hopefully this helps save someone the time I wasted.
如果有人知道为什么在不同版本的iOS上某些人的行为会有所不同,我很乐意在评论中知道.
If anyone knows why this behaves differently for some people on different versions of iOS, I'd love to know in comments.
更新1 :查看第一个iOS 12 Beta,看起来一切都一样.这个问题/答案/评论在iOS 12上仍然有用.
Update 1: Checking out the first iOS 12 beta, it looks like things remain the same. This question/answer/comments are still relevant on iOS 12.
更新2 :iOS 13 Beta版似乎也需要相同的解决方案.
Update 2: Same solution seems to be needed on iOS 13 beta builds as well.
这篇关于iOS 11、12和13已安装的证书不受自动信任(自签名)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
