iOS App Transport Security不接受TLSv1.2连接,plist例外没有任何区别 [英] iOS App Transport Security not accepting TLSv1.2 connection and plist exceptions not making any difference
问题描述
我有一个iOS应用程序,该应用程序使用SSL/HTTPS与服务器进行通信.服务器提供的证书可以在TLSv1.2上运行(App Transport Security的主要要求).展示此内容的示例URL(可以通过检查证书来验证TLSv1.2)为 https://api.branon.co.uk/checkOnline .
I've got an iOS app which uses SSL/HTTPS to communicate with a server. The server is providing a certificate that works over TLSv1.2 (the main requirement of App Transport Security). An example URL that demonstrates this (where the TLSv1.2 can be verified by checking the certificate) is https://api.branon.co.uk/checkOnline.
但是,该应用程序引发了与应用程序传输层相关的错误-当被Google检索时,该错误暗示这是因为服务器无法在TLSv1.2上运行.错误示例:
However, the app is throwing errors relating to the App Transport Layer - errors that, when Googled - imply it's because the server isn't working over TLSv1.2. An example error is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
和:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
我什至在plist文件中添加了一堆例外,例如:
I even added a bunch of exceptions to the plist file, such as:
<dict>
<key>NSExceptionDomains</key>
<dict>
<key><my top level domain - the app uses a subdomain - allowed below></key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
</plist>
但这不会改变结果.
使用的证书是由 StartCom 发行的免费证书.我的nginx配置在下面(仅供参考).
The certificate used is a free certificate issued from StartCom. My nginx config is below (just for reference).
server {
listen [::]:443 ssl;
listen 443 ssl;
ssl on;
ssl_certificate /root/ssl/<domain>.crt;
ssl_certificate_key /root/ssl/server.key;
server_name api.<domain>;
access_log /var/log/nginx/api.access.log;
error_log /var/log/nginx/api.error.log;
location ~ ^/([a-zA-Z]+)$ {
proxy_pass http://127.0.0.1:5000/$1;
}
}
有人知道为什么会这样吗?
Does anybody have any idea why this is happening?
谢谢!
更新: 根据@ Paulw11建议的测试结果(如下)运行nscurl的结果,我决定只是尝试完全禁用App Transport Security.我将plist中的App Transport Security词典更改为以下内容:
Update: Following the results of @Paulw11's suggested test (below) running nscurl, I decided just to try disabling App Transport Security entirely. I changed the App Transport Security dictionary in my plist to the below:
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
,仍然出现相同的错误!因此,如果不是App Transport Security,可能是什么原因引起的?我再次遇到的错误是:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
and am still getting the same error! So if it's not App Transport Security, what could be causing this? That error I'm getting again is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
推荐答案
The server does not provide a complete certificate chain in its SSL/TLS handshake. While some clients can handle this and build out a trust chain, others cannot.
您可以通过 https://whatsmychaincert.com/?api找到丢失的中间证书. branon.co.uk ,并在nginx的SSL配置中将其与您站点的证书一起提供.
You can find the missing intermediate certificate via https://whatsmychaincert.com/?api.branon.co.uk and serve it along with your site's certificate in your SSL configuration in nginx.
请记住要删除您可能已设置的所有ATS异常!
Do remember to remove any ATS exceptions that you may have put in place!
这篇关于iOS App Transport Security不接受TLSv1.2连接,plist例外没有任何区别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
