处理应用程序传输安全性(kCFStreamErrorDomainSSL，-9802) [英] Handling App Transport Security (kCFStreamErrorDomainSSL, -9802)

问题描述

您运行以下代码:

let URL = "https://www.nasa.gov/sites/default/files/wave_earth_mosaic_3.jpg"
let imageData = NSData(contentsOfURL: NSURL(string: URL)!)
UIImage(data: imageData!)

您会得到:

2015-09-11 16:33:47.433卡西尼号[21200:447896] NSURLSession/NSURLConnection HTTP加载失败 (kCFStreamErrorDomainSSL，-9802)

2015-09-11 16:33:47.433 Cassini[21200:447896] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

深入挖掘表明已使用SHA1签名.

Digging a bit deeper shows SHA1 signature is used.

maximveksler$ openssl s_client -connect www.nasa.gov:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"
    Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

那么从2015年9月11日起，NASA正在使用不安全的连接，那又如何呢?

So as of Sep 11, 2015 NASA are using insecure connection, now what?

推荐答案

为什么会发生?

因为使用不安全的网络不利于用户的隐私.

Why did it happen?

Because using insecure web is bad for your users privacy.

从iOS9开始，Apple强制您的应用与通过HTTP访问的任何资源建立安全连接.这意味着您要连接的服务器需要遵循最新的安全连接最佳做法.

Beginning with iOS9 Apple are enforcing secure connections your app makes to any resource accessed via HTTP. This means that the server you are connecting to needs to follow up to date secure connection best practices.

截至2015年9月，这些内容包括:

As of Sep, 2015 these include:

• 使用 HTTPS (而不是纯http)
• 使用 SHA签署证书-2
• 使用转发保密

• Use HTTPS (and not plain http)
• Sign the certificate using SHA-2
• Use Forward Secrecy

更多信息可以在应用程序传输中找到安全技术说明

管理您自己的服务器?修理它！确保它们结实牢固.您可以通过 shaaaaaaaaaaaaa.com 在线进行测试，或使用任何方法在本地进行测试，从而验证服务器是否良好href ="https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)" rel ="nofollow noreferrer">此处

Manage your own servers? Fix it! make sure they are strong and secure. You can verify that your server is good by testing it online with shaaaaaaaaaaaaa.com or locally with any of the methods outline here

如果您要连接到其他服务器，则可以将有问题的资源列入白名单"，因此不建议这样做.

If you are connecting to other servers, there are options to "white list" problematic resources, this is discouraged.

转到您的Info.plist并添加以下条目:

Go to your Info.plist and add the following entries:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.nasa.gov</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

您的plist应该如下所示:

Your plist should look like this:

注意，这是一个非常糟糕的主意.

Note, this is a really really bad idea.

转到您的Info.plist并添加以下条目:

Go to your Info.plist and add the following entries:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

您的plist应该如下所示:

Your plist should look like this:

这篇关于处理应用程序传输安全性(kCFStreamErrorDomainSSL，-9802)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！