IOS9 SSL错误与NSURLSession [英] IOS9 SSL error with NSURLSession
问题描述
我已经开发了它与使用https服务器通信的iOS应用(我也是服务器的开发者,它的嵌入Tomcat服务器)。
I have developed an IOS App that is communicating with a Server using HTTPs (I'm also the developer of the server, it's embedding a Tomcat server).
此应用程序工作不与任何iOS8上的问题,但它不是与IOS9。
This App is working without any issues with IOS8 but it's not with IOS9.
发送HTTPS请求时,我得到了以下错误:
I get the following error when sending an HTTPs request:
Session download has failed : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=0x7fa9c44b2e40 {NSErrorFailingURLStringKey=https://127.0.0.1:8443/MyServer/MyApp, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://127.0.0.1:8443/MyServer/MyApp, _kCFStreamErrorCodeKey=-9802, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
根据苹果的文档时,错误code = -1200恰好是
由于TLSv1.1,而不是TLSv1.2工作。我已经验证与OpenSSL的命令,我的服务器使用TLSv1.2工作。
Based on Apple documentation when the error Code=-1200 happens it's because TLSv1.1 instead of TLSv1.2. I have verified with an openSSL command and my server is using TLSv1.2.
在在的info.plist属性设置NSAllowsArbitraryLoads = TRUE,错误消失,但我不想保持这个样子。
When setting in the info.plist the property NSAllowsArbitraryLoads = true, the error disappear but I don't want to keep it like this.
我的服务器使用的是自签名证书,也许这是问题的原因是什么?
下面是code我使用didReceiveChallenge
My server is using a self signed certificate, maybe it's the cause of the issue? Below is the code I'm using for didReceiveChallenge
- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler {
[RequestURLUtilities dumpChallenge:challenge];
if (challenge.protectionSpace != Nil) {
NSURLProtectionSpace *protection = challenge.protectionSpace;
SecTrustRef sslState = protection.serverTrust;
if (sslState == Nil) {
NSLog(@"%s Warning: empty serverTrust",__PRETTY_FUNCTION__);
}
if ([protection.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
NSLog(@"%s => NSURLAuthenticationMethodServerTrust", __PRETTY_FUNCTION__);
// warning normaly I should check the validity of the SecTrustRef before to trust
NSURLCredential* credential = [NSURLCredential credentialForTrust:sslState];
// Put in command for test
completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
} else {
NSLog(@"%s => Called for another challenge", __PRETTY_FUNCTION__);
completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, NULL);
}
}
我应该创建自己的CA,然后我自己的证书?如何进行?什么不见了?任何帮助将大大AP preciated。
Should I create my own CA and then my own certificates? How to proceed? What is missing? Any help will be greatly appreciated.
塞巴斯蒂安。
推荐答案
与苹果支持经过一番讨论后,这个问题是由于自签名证书。
After some discussion with Apple Support, the issue is due to the self signed certificate.
ATS信任只能由知名CA签发的证书,所有其他被拒绝。其结果是一个自签名证书的唯一解决办法是设定NSExceptionDomains例外。
ATS trusts only certificate signed by a well known CA, all others are rejected. As a consequence the only solution with a Self signed certificate is to set an exception with NSExceptionDomains.
这篇关于IOS9 SSL错误与NSURLSession的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
