从Amazon S3 SSL错误下载iOS 9应用程序:支持TLS 1.2 [英] iOS 9 app download from Amazon S3 SSL error: TLS 1.2 support

问题描述

我知道

发生SSL错误，并且无法与服务器建立安全连接 被制成.

An SSL error has occurred and a secure connection to the server cannot be made.

在iOS 9上，如果我尝试从Amazon s3下载文件: https://s3.amazonaws.com/xyz/qer/IMG_0001.JPG

on iOS 9 if I try to download a file from amazon s3: https://s3.amazonaws.com/xyz/qer/IMG_0001.JPG

据我了解，Amazon s3支持TLS 1.2 请参阅: https://forums.aws.amazon.com/thread.jspa?threadID = 192512

From what I understand Amazon s3 supports TLS 1.2 see: https://forums.aws.amazon.com/thread.jspa?threadID=192512

S3和Kinesis目前支持TLS 1.2.

S3 and Kinesis support TLS 1.2 at this time.

"S3和Kinesis目前支持TLS 1.2." 2015年8月23日9:19 PM

"S3 and Kinesis support TLS 1.2 at this time." Aug 23, 2015 9:19 PM

然后不确定为什么我会收到此SSL错误.该帐户应配置为利用TLS 1.2吗? 我猜想默认情况下应该将其打开".

Not sure then why do I get this SSL error. The account should be configured to take advantage of TLS 1.2? I would've guessed that this should be 'on' by default.

我不想将此域放在信息列表中.

I don't want to put this domain on the info plist.

我最终使用了

<key>NSAppTransportSecurity</key> 
<dict> 
  <key>NSExceptionDomains</key> 
  <dict> 
    <key>s3.amazonaws.com</key> 
    <dict> 
      <key>NSExceptionRequiresForwardSecrecy</key> 
        <false/> 
      <key>NSIncludesSubdomains</key> 
        <true/> 
    </dict> 
  </dict> 
</dict>

推荐答案

编辑2016-01-03: s3.amazonaws.com的新证书使用SHA256算法并符合ATS要求.

Edit 2016-01-03: The renewed certificate for s3.amazonaws.com uses the SHA256 algorithm and complies with ATS requirements.

原始答案:s3.amazonaws.com使用的SHA1证书不符合ATS要求，从而导致严重故障.根据应用传输安全技术说明，iOS9中的ATS具有以下要求:

Original answer: s3.amazonaws.com uses a SHA1 cerificate that does not meet ATS requirements, resulting in a hard failure. Per the App Transport Security Technote, ATS in iOS9 has the following requirements:

1. 服务器必须至少支持传输层安全(TLS)协议版本1.2.

1. The server must support at least Transport Layer Security (TLS) protocol version 1.2.

连接密码仅限于提供前向保密性的密码，

Connection ciphers are limited to those that provide forward secrecy, namely,

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

必须使用SHA256或更高级的签名哈希算法对证书进行签名，并使用2048位或更高的RSA密钥或256位或更高的椭圆曲线(ECC)密钥.

无效的证书会导致严重故障，并且无法建立连接.

Invalid certificates result in a hard failure and no connection.

SSL Labs的SSL服务器测试( https://www .ssllabs.com/ssltest/analyze.html?d = s3.amazonaws.com )包括iOS 9中ATS的握手模拟，表明s3.amazonaws.com失败.

SSL Labs' SSL server test (https://www.ssllabs.com/ssltest/analyze.html?d=s3.amazonaws.com) includes a handshake simulation for ATS in iOS 9 that indicates a failure for s3.amazonaws.com.

这篇关于从Amazon S3 SSL错误下载iOS 9应用程序:支持TLS 1.2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！