NSURLSessionConfiguration TLSMinimumSupportedProtocol似乎在iOS上不起作用 [英] NSURLSessionConfiguration TLSMinimumSupportedProtocol looks like doesn't work on iOS

问题描述

从一开始，我如何配置NSURLSession:

From the beginning, how I configure NSURLSession:

auto securityPolicy = self.securityPolicy;

NSURLSessionConfiguration *config = [NSURLSessionConfiguration ephemeralSessionConfiguration];
config.TLSMinimumSupportedProtocol = [CSHTTPSessionWrapper minimumTLSprotocolForSecurityPolicy: securityPolicy]; // this properly sets values kTLSProtocol1, kTLSProtocol11, kTLSProtocol12

self.session = [NSURLSession sessionWithConfiguration: config
                                             delegate: self
                                        delegateQueue: nil];

没什么好想的.

现在，我编写了一些自动化测试，该测试将安全策略设置为TLS 1.0、1.1、1.2，并尝试连接到openssl服务器. 我写了启动该服务器的python脚本:

Now I wrote some automated test which set security policy to TLS 1.0, 1.1, 1.2 and tries connect to openssl servers. I wrote python script which starts this servers:

def run_ssl_server(name, openSSLBinary, port, params):
    print "Starting {0} server on port {1}".format(name, port)

    proc = subprocess.Popen([openSSLBinary, "s_server", "-cert", "testres/server.cert.pem", "-key", "testres/server.key.pem", "-debug", "-www", "-accept"] + [port] + params)
    atexit.register(proc.terminate)

    print "Server started. Pid={0}".format(proc.pid)

def main() :
    … … …
    openSSLBinary = arguments.openSSLBinary # use custom build of openssl

    server_modes = {
        'normal':         ('4433', []),
        'ssl3_only':      ('4435', ['-ssl3'])
    }

    openSSLVersion = open_ssl_tool_version(openSSLBinary)
    if openSSLVersion >= LooseVersion("1.0.0") :
        print "Adding servers which can be configured for openssl 1.0.0"
        server_modes.update({
            'no_tls2' : ('4434', ['-no_tls1_2']),
            'tls1'    : ('4436', ['-tls1']),
            'tls1_1'  : ('4437', ['-tls1_1']),
            'tls1_2'  : ('4438', ['-tls1_2']),
        })
    … … …

由于预装的openssl很老了OpenSSL 0.9.8zh 14 Jan 2016，所以我已经构建了新版本并将其输入到python脚本中.

Since preinstalled openssl is quite old OpenSSL 0.9.8zh 14 Jan 2016 I've build new version and feed it to my python script.

现在，测试正在检查客户端最低TLS版本和服务器TLS版本的所有组合. 在Mac OS上，所有测试都通过了！

Now test are checking all combinations of client minimum TLS version and server TLS version. On Mac OS all tests are passing!

奇怪的是，当客户端的最低TLS版本高于服务器支持的最低TLS版本时，在iOS模拟器上运行的完全相同的测试将失败. NSURLSSession返回成功，没有错误报告(应该报告)！

What is strange exactly same tests run on iOS emulator are failing when client have higher minimum TLS version than server supports. NSURLSSession returns success, no errors are reported (and they should)!

我对套接字(NSInputStream和NSOutputStream)进行了完全相同的测试，并且在Mac和iOS模拟器上运行并且通过了测试，因此问题不在于模拟器上的端口转发.

Exactly same test I did for sockets (NSInputStream and NSOutputStream) and run on Mac and iOS emulator and they are passing, so problem is not a port forwarding on emulator.

NSURLSessionConfiguration TLSMinimumSupportedProtocol似乎无法在iOS上运行！

It looks like that NSURLSessionConfiguration TLSMinimumSupportedProtocol doesn't work on iOS!

有人有任何建议，线索吗? 还是应该向Apple提交错误报告(我讨厌Apple使用的错误跟踪器)?

Does anyone has any advices, clues? Or should I raise a bug report to Apple (I hate bug tracker Apple uses)?

推荐答案

好的问题在iOS 10上无法重现，因此苹果显然已经修复了该错误(我已使用Xcode 8.2.1重新运行测试).

Ok issue is not reproducible on iOS 10, so apparently Apple already fix this bug (I've rerun test with Xcode 8.2.1).

最初，我是使用iOS 9(Xcode 7.2)进行测试的.

Initially I did testing with iOS 9 (Xcode 7.2).

这篇关于NSURLSessionConfiguration TLSMinimumSupportedProtocol似乎在iOS上不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！