iOS 13 TLS问题 [英] iOS 13 TLS issue

问题描述

我已经安装了iOS 13 beta版并运行了包含很多网络请求的框架，但是出现了此错误:

I have installed iOS 13 beta version and run my framework which contains a lot of network requests, but I got this error:

2019-09-19 15:01:33.566811+0200 ---[395:25439] Connection 4: default TLS Trust evaluation failed(-9814)
2019-09-19 15:01:33.567022+0200 ---[395:25439] Connection 4: TLS Trust encountered error 3:-9814
2019-09-19 15:01:33.567110+0200 ---[395:25439] Connection 4: encountered error(3:-9814)
2019-09-19 15:01:33.569824+0200 ---[395:25439] Connection 4: unable to determine interface type without an established connection
2019-09-19 15:01:33.584952+0200 ---[395:25439] Task <D97FD611-0B48-4DCE-99C9-6A971E5E6524>.<4> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9814])

我试图找出导致该问题的原因，但没有成功.谁能帮我吗?

I tried to find out what cause that problem with no success. Can anyone help me?

推荐答案

Apple定义了限制器规则用于TLS服务器证书，从iOS 13和macOS 10.15开始.

Apple has defined stricter rules for TLS server certificates, starting from iOS 13 and macOS 10.15.

所有TLS服务器证书必须符合iOS 13和macOS 10.15中的这些新安全要求:

All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

TLS服务器证书和使用RSA密钥的颁发CA必须使用密钥大小大于或等于2048位.使用RSA密钥大小小于2048位的证书不再受TLS信任.

TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.

TLS服务器证书和颁发CA必须在签名算法中使用SHA-2系列的哈希算法.不再信任SHA-1签名的证书.

TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.

TLS服务器证书必须在证书的使用者备用名称"扩展名中显示服务器的DNS名称.证书的CommonName中的DNS名称不再受信任.

TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

此外，在2019年7月1日之后颁发的所有TLS服务器证书(如证书的NotBefore字段中所示)必须遵循以下准则:

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

TLS服务器证书必须包含包含id-kp-serverAuth OID 的ExtendedKeyUsage(EKU)扩展.

TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

TLS服务器证书必须具有825天或更短的有效期(在证书的NotBefore和NotAfter字段中表示).

TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

最后一点:

违反这些新要求的TLS服务器连接将失败，并可能导致网络故障，应用程序失败以及网站无法在iOS 13和macOS 10.15的Safari中加载.

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

这篇关于iOS 13 TLS问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！