子域上的NSURLSession / NSURLConnection HTTP加载失败(kCFStreamErrorDomainSSL,-9802)? [英] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) on a subdomain?
问题描述
我们的应用程序在我们的生产和开发环境中都运行良好,但在我们的暂存环境中,我们遇到了常见错误:
Our app is working fine on both our production and development environments but on our staging environment we get the common error:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
根据我的理解,当您尝试时会发生此错误连接到非 https URL。
From my understanding this error occurs when you try to connect to a non https URL.
- 我们使用ngrok作为本地隧道它有一个
httpsurl并且工作正常。 - 对于制作我们也使用
https:// ourdomain。 com并且工作正常。 - 对于暂存,我们使用
https://staging.ourdomain.com并且发生错误。
- We use ngrok for our local tunnel which has a
httpsurl and works fine. - For production we also use
https://ourdomain.comand it works fine. - For staging we use
https://staging.ourdomain.comand the error occurs.
我见过许多解决方案,说明这样做:
I've seen many solutions stating to do this:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
但我的雇主反对禁止ATS只是为了上班,他也反对为我们的暂存网址添加例外的想法。
But my employer is against the idea of disabling ATS just to get staging to work, he is also against the idea of adding an exception for our staging URL.
我们的暂存网址会导致此错误的任何想法抛出或如何修复它?
Any ideas why our staging URL would be causing this error to throw or how to fix it?
ATS诊断输出:
Starting ATS Diagnostics
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://staging.domain.co.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : PASS
---
================================================================================
Allowing Arbitrary Loads
---
Allow All Loads
ATS Dictionary:
{
NSAllowsArbitraryLoads = true;
}
Result : PASS
---
================================================================================
Configuring TLS exceptions for staging.domain.co
---
TLSv1.2
ATS Dictionary:
{
NSExceptionDomains = {
"staging.domain.co" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
};
};
}
Result : PASS
---
---
TLSv1.1
ATS Dictionary:
{
NSExceptionDomains = {
"staging.domain.co" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
};
};
}
Result : PASS
---
---
TLSv1.0
ATS Dictionary:
{
NSExceptionDomains = {
"staging.domain.co" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
};
};
}
Result : PASS
---
================================================================================
Configuring PFS exceptions for staging.domain.co
---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
NSExceptionDomains = {
"staging.domain.co" = {
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring PFS exceptions and allowing insecure HTTP for staging.domain.co
---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
NSExceptionDomains = {
"staging.domain.co" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled for staging.domain.co
---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"staging.domain.co" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"staging.domain.co" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"staging.domain.co" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for staging.domain.co
---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"staging.domain.co" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"staging.domain.co" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"staging.domain.co" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
推荐答案
App Transport Security是不只是HTTP与HTTPS。您需要使用正确配置的服务器+证书以避免ATS问题。来自Apple文档[1]:
App Transport Security is not just HTTP vs HTTPS. You need to be using properly configured servers+certificates to avoid an ATS issue. From the Apple docs [1]:
服务器必须至少支持传输层安全性(TLS)
协议版本1.2。连接密码仅限于
提供前向保密的密码。证书必须使用SHA256或
更大的签名哈希算法进行签名,使用2048位或更高的
RSA密钥或256位或更高的椭圆曲线(ECC)密钥。无效的
证书导致硬故障且无连接。
The server must support at least Transport Layer Security (TLS) protocol version 1.2. Connection ciphers are limited to those that provide forward secrecy. Certificates must be signed using a SHA256 or greater signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key. Invalid certificates result in a hard failure and no connection.
如果您使用的是OS X 10.11(或更高版本) ,您可以使用nscurl进行故障排除。弹出一个终端并运行它:
If you're on OS X 10.11 (or later), you can use nscurl to troubleshoot. Pop open a terminal and run this:
/usr/bin/nscurl --ats-diagnostics https://staging.ourdomain.com
[1] https://developer.apple.com/library/ios/technotes/App-Transport-Security-Technote/index.html
这篇关于子域上的NSURLSession / NSURLConnection HTTP加载失败(kCFStreamErrorDomainSSL,-9802)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
