iOS 11和12安装的证书不受信任(自签名) [英] iOS 11 and 12 installed certificates not trusted automatically (self signed)
问题描述
在我们的内部网络上,我们使用自签名CA证书。这在Safari和我们的iOS产品中一直运行良好,一直到iOS 10.我们只需在任何新设备或模拟器上安装CA证书,即使使用ATS,一切正常。这允许访问我们所有的内部测试服务器,而无需单独信任每个服务器。
从iOS 11开始,已安装的CA证书不再允许Safari或我们的应用程序信任任何服务器的证书。我们的应用程序启用了 CFNETWORK_DIAGNOSTICS ,我们收到以下相关详细信息:
错误域= kCFErrorDomainCFNetwork代码= -1200
_kCFNetworkCFStreamSSLErrorOriginalValue = -9802
_kCFStreamErrorDomainKey = 3
_kCFStreamErrorCodeKey = -9802
NSLocalizedDescription =发生SSL错误,无法建立与服务器的安全连接。
NSLocalizedRecoverySuggestion =你想连接到服务器吗?
我花了很多时间试图解决这个问题问题,搜索StackOverflow和网络的其余部分。虽然我们在我们的应用程序中使用AFNetworking,但这似乎无关紧要,因为Safari不再通过CA信任这些服务器。通过 NSAllowsArbitraryLoads 禁用ATS允许访问服务器,但显然不是解决方案。
没有任何变化发送到我们的 -URLSession:didReceiveChallenge:completionHandler 代码,我们通过 challenge.protectionSpace.serverTrust实现了挑战响应的正确(多年工作) 。
我已经按照我能想到的方式对CA和服务器证书进行了重新评估和测试,除了iOS 11之外,它们都可以在任何地方工作。可能导致此问题的iOS 11 ATS可能有哪些变化?
在写这个问题时,我发现了答案。从Safari安装CA不再自动信任它。我不得不从证书信任设置面板手动信任它(也在
<我讨论了取消这个问题,但我认为有一些人可能正在寻找的相关代码和日志详情可能会有所帮助。此外,我在iOS 11之前从未遇到过这个问题。我甚至回过头来再次确认它会自动通过iOS 10运行。
我从来没有需要触摸那个设置面板之前,因为任何已安装的证书都是自动信任的也许它会在iOS 11发布时发生变化,但我对此表示怀疑。希望这有助于节省我浪费的时间。
如果有人知道为什么这对于不同版本的iOS上的某些人有不同的表现,我很乐意在评论中知道。
更新:查看第一个iOS 12测试版,看起来情况保持不变。这个问题/答案/评论仍然适用于iOS 12。
On our internal network, we use a self-signed CA certificate. This has worked fine for years, in both Safari and our iOS product, all the way through iOS 10. We simply install the CA certificate on any new device or simulator and everything works, even with ATS. This allows access to all of our internal test servers without having to trust each server individually.
Starting with iOS 11 the installed CA certificate no longer allows Safari or our app to trust the certificate for any of the servers. We receive the following relevant details with CFNETWORK_DIAGNOSTICS enabled for our app:
Error Domain=kCFErrorDomainCFNetwork Code=-1200
_kCFNetworkCFStreamSSLErrorOriginalValue=-9802
_kCFStreamErrorDomainKey=3
_kCFStreamErrorCodeKey=-9802
NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.
NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?
I spent considerable time trying to resolve this issue, scouring StackOverflow and the rest of the web. Although we use AFNetworking in our app, that seems to be irrelevant, as Safari no longer trusts these servers via the CA. Disabling ATS via NSAllowsArbitraryLoads allows access to the servers, but obviously isn't a solution.
No changes have been made to our -URLSession:didReceiveChallenge:completionHandler code, and we have a proper (worked for years) implementation of challenge response via challenge.protectionSpace.serverTrust.
I have re-evaluated and tested both the CA and server certificates every way I can think of, and they work everywhere except iOS 11. What might have changed in ATS for iOS 11 that could cause this issue?
While writing this question, I discovered the answer. Installing a CA from Safari no longer automatically trusts it. I had to manually trust it from the Certificate Trust Settings panel (also mentioned in this question).
I debated canceling the question, but I thought it might be helpful to have some of the relevant code and log details someone might be looking for. Also, I never encountered the issue until iOS 11. I even went back and reconfirmed that it automatically works up through iOS 10.
I've never needed to touch that settings panel before, because any installed certificates were automatically trusted. Maybe it will change by the time iOS 11 ships, but I doubt it. Hopefully this helps save someone the time I wasted.
If anyone knows why this behaves differently for some people on different versions of iOS, I'd love to know in comments.
Update: Checking out the first iOS 12 beta, it looks like things remain the same. This question/answer/comments are still relevant on iOS 12.
这篇关于iOS 11和12安装的证书不受信任(自签名)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
