ios swift POST 错误 NSURLSession/NSURLConnection HTTP 加载失败(kCFStreamErrorDomainSSL，-9824)

Question

在 ios9 上向 https 服务器发送 https post 请求时出现错误

NSURLSession/NSURLConnection HTTP 加载失败(kCFStreamErrorDomainSSL，-9824)发生 SSL 错误，无法与服务器建立安全连接。

我的 info.pst 有

  <key>NSExceptionDomains</key>       <dict>          <key>myserver.com</key>
      <dict>
          <key>NSExceptionRequiresForwardSecrecy</key>
          <false/>
          <key>NSExceptionMinimumTLSVersion</key>
          <string>TLSv1.0</string>
          <key>NSExceptionAllowsInsecureHTTPLoads</key>
          <true/>
          <key>NSIncludesSubdomains</key>
          <true/>             </dict>         </dict>

我尝试使用

禁用 ATS

  <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/>
              </dict>

但我得到了一个不同的错误HTTP 加载失败(kCFStreamErrorDomainSSL，-9813)

Myserver.com 使用 TLS 1.0。使用 AES_256_CBC 对连接进行加密，使用 HMAC-SHA1 进行消息身份验证，使用 RSA 作为 key 交换机制。

更新:添加来自 ssllabs.com 的 ssl 报告

Authentication

Server Key and Certificate #1 Subject Dummy Certificate Fingerprint SHA1: 3449de1a15e1ecc81f934aed4587d93b56befd94 Pin SHA256: SLJAAtLuQ5nALXXAWlM30bBFQfurZ+QnxdZK5g4O11E= Common names Dummy Certificate MISMATCH Alternative names - Valid from Wed, 14 Jan 2009 21:36:55 UTC Valid until Tue, 09 Jan 2029 21:36:55 UTC (expires in 12 years and 9 months) Key RSA 1024 bits (Exponent 65537) WEAK Weak key (Debian) No Issuer Dummy Certificate Self-signed Signature algorithm MD5withRSA INSECURE Extended Validation No Certificate Transparency No Revocation information None Trusted No NOT TRUSTED (Why?)

Additional Certificates (if supplied) Certificates provided 1 (491 bytes) Chain issues None

Certification Paths Path #1: Not trusted (path does not chain to a trusted anchor) 1 Sent by server Not in trust store Dummy Certificate Self-signed Fingerprint SHA1: 3449de1a15e1ecc81f934aed4587d93b56befd94 Pin SHA256: SLJAAtLuQ5nALXXAWlM30bBFQfurZ+QnxdZK5g4O11E= RSA 1024 bits (e 65537) / MD5withRSA WEAK KEY Weak or insecure signature, but no impact on root certificate Configuration

Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3 No SSL 2 No

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end) TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128 TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112

Handshake Simulation Android 2.3.7 No SNI 2 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA No FS Android 4.0.4 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Android 4.1.1 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Android 4.2.2 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Android 4.3 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Android 4.4.2 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Android 5.0.0 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Baidu Jan 2015 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS BingPreview Jan 2015 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Chrome 48 / OS X R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Firefox 31.3.0 ESR / Win 7 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Firefox 42 / OS X R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Firefox 44 / OS X R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Googlebot Feb 2015 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS IE 6 / XP No FS 1 No SNI 2 Server closed connection IE 7 / Vista RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS IE 8 / XP No FS 1 No SNI 2 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_RC4_128_SHA RC4 IE 8-10 / Win 7 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS IE 11 / Win 7 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS IE 11 / Win 8.1 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS IE 10 / Win Phone 8.0 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS IE 11 / Win Phone 8.1 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS IE 11 / Win Phone 8.1 Update R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS IE 11 / Win 10 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Edge 13 / Win 10 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Edge 13 / Win Phone 10 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Java 6u45 No SNI 2 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA No FS Java 7u25 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA No FS Java 8u31 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA No FS OpenSSL 0.9.8y RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS OpenSSL 1.0.1l R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS OpenSSL 1.0.2e R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Safari 5.1.9 / OS X 10.6.8 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Safari 6 / iOS 6.0.1 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Safari 6.0.4 / OS X 10.8.4 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Safari 7 / iOS 7.1 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Safari 7 / OS X 10.9 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Safari 8 / iOS 8.4 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Safari 8 / OS X 10.10 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Safari 9 / iOS 9 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Safari 9 / OS X 10.11 R RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS Apple ATS 9 / iOS 9 R Server sent fatal alert: handshake_failure Yahoo Slurp Jan 2015 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS YandexBot Jan 2015 RSA 1024 (MD5) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS (1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it. (2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI. (3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version. (R) Denotes a reference browser or client, with which we expect better effective security. (All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).

Protocol Details DROWN (experimental) IP Address Port Export Special Status 54.64.244.95 443 Yes Yes Vulnerable (same key with SSL v2) 217.89.70.156 443 Yes Yes Not checked 195.167.179.101 443 Yes Yes Not checked 209.166.166.21 443 Yes Yes Not checked 46.105.254.39 443 Yes Yes Not checked 212.35.116.41 443 Yes No Not checked 54.83.3.22 443 Yes Yes Not checked 120.76.43.8 443 Yes Yes Not checked 52.30.94.252 443 Yes Yes Not checked 116.213.215.22 443 Yes Yes Not checked 202.217.48.250 443 Yes Yes Not checked 52.74.112.186 443 Yes Yes Not checked 134.65.5.183 443 Yes Yes Not checked 146.82.88.157 443 Yes Yes Not checked 79.99.32.99 443 Yes Yes Not checked 185.59.164.24 443 Yes Yes Not checked 195.246.16.19 443 Yes Yes Not checked 193.95.228.59 443 Yes Yes Not checked 52.49.49.147 443 Yes Yes Not checked 209.166.166.58 443 Yes Yes Not checked 206.18.241.170 443 Yes Yes Not checked 68.71.100.110 443 Yes Yes Not checked 54.83.4.144 443 Yes Yes Not checked 144.34.10.154 443 Yes Yes Not checked 121.41.22.133 443 Yes Yes Not checked 89.236.107.116 443 Yes Yes Not checked 116.213.215.21 443 Yes Yes Not checked 211.94.93.245 443 Yes Yes Not checked 52.31.237.200 443 Yes Yes Not checked 31.14.137.165 443 Yes Yes Not checked 209.61.135.205 443 No Yes Not checked 54.65.106.240 443 Yes Yes Not checked 203.182.36.10 443 Yes Yes Not checked 194.126.208.94 443 Yes Yes Not checked 199.43.209.147 443 Yes Yes Not checked 216.32.194.132 443 Yes Yes Not checked 52.74.168.71 443 Yes Yes Not checked 49.231.16.61 443 Yes Yes Not checked 101.231.206.152 443 Yes Yes Not checked 166.78.43.90 443 No Yes Not checked 144.34.10.153 443 Yes Yes Not checked 184.173.17.183 443 Yes Yes Not checked 54.83.4.148 443 Yes Yes Not checked 193.15.201.74 443 Yes Yes Not checked 198.11.237.88 443 Yes Yes Not checked 54.83.4.142 443 Yes Yes Not checked 167.219.19.1 443 Yes Yes Not checked 52.18.134.67 443 Yes Yes Not checked 202.217.48.210 443 Yes Yes Not checked 219.239.94.78 443 Yes Yes Not checked 144.34.10.152 443 Yes Yes Not checked 120.25.144.137 443 Yes Yes Not checked 206.18.241.171 443 Yes Yes Not checked 54.255.177.46 443 Yes Yes Not checked 61.8.234.239 443 Yes Yes Not checked 195.246.16.20 443 Yes Yes Not checked 5.153.50.91 443 Yes Yes Not checked 116.213.215.12 443 Yes Yes Not checked 118.145.20.104 443 Yes Yes Not checked 199.106.146.196 443 Yes Yes Not checked 194.6.195.138 443 Yes Yes Not checked 219.239.94.75 443 Yes Yes Not checked 134.65.7.97 443 Yes Yes Not checked 54.83.4.141 443 Yes Yes Not checked 23.246.192.246 443 Yes Yes Not checked 193.15.201.71 443 Yes Yes Not checked 195.198.142.218 443 Yes Yes Not checked 209.61.135.204 443 No Yes Not checked 144.34.10.151 443 Yes Yes Not checked 54.172.242.114 443 Yes Yes Not checked 116.213.215.16 443 Yes Yes Not checked 116.213.215.39 443 Yes Yes Not checked 139.219.133.76 443 Yes Yes Not checked 72.3.166.215 443 No Yes Not checked 75.89.220.209 443 Yes Yes Not checked 217.89.135.187 443 Yes Yes Not checked 54.209.9.96 443 Yes Yes Not checked 54.83.3.12 443 Yes Yes Not checked 140.239.26.70 443 Yes Yes Not checked 116.213.215.19 443 Yes Yes Not checked 213.221.87.106 443 Yes Yes Not checked 52.48.52.65 443 Yes Yes Not checked 61.160.121.200 443 Yes Yes Not checked 52.18.87.225 443 Yes Yes Not checked 54.77.148.144 443 Yes Yes Not checked 184.173.86.115 443 Yes Yes Not checked 5.153.57.96 443 Yes Yes Not checked 206.18.241.130 443 Yes Yes Not checked 203.126.84.111 443 Yes Yes Not checked 116.213.215.17 443 Yes Yes Not checked 54.209.27.62 443 Yes Yes Not checked 206.18.241.131 443 Yes Yes Not checked (1) For a better understanding of this test, please read this longer explanation (2) Key usage data kindly provided by the Censys network search engine; original DROWN test here (3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and incomplete (4) We perform real-time key reuse checks, but stop checking after first confirmed vulnerability (5) The "Special" column indicates vulnerable OpenSSL version; "Export" refers to export cipher suites Secure Renegotiation Supported Secure Client-Initiated Renegotiation No Insecure Client-Initiated Renegotiation No BEAST attack Not mitigated server-side (more info) TLS 1.0: 0x35 POODLE (SSLv3) No, SSL 3 not supported (more info) POODLE (TLS) No (more info) Downgrade attack prevention Unknown (requires support for at least two protocols, excl. SSL2) SSL/TLS compression No RC4 Yes INSECURE (more info) Heartbeat (extension) No Heartbleed (vulnerability) No (more info) OpenSSL CCS vuln. (CVE-2014-0224) No (more info) Forward Secrecy No WEAK (more info) ALPN No NPN No Session resumption (caching) Yes Session resumption (tickets) No OCSP stapling No Strict Transport Security (HSTS) No HSTS Preloading Not in: Chrome Edge Firefox IE Tor Public Key Pinning (HPKP) No Public Key Pinning Report-Only No Long handshake intolerance No TLS extension intolerance No TLS version intolerance TLS 1.98 TLS 2.98 Incorrect SNI alerts No Uses common DH primes No, DHE suites not supported DH public server param (Ys) reuse No, DHE suites not supported SSL 2 handshake compatibility Yes

Miscellaneous Test date Mon, 28 Mar 2016 15:16:39 UTC Test duration 37.404 seconds HTTP status code 302 HTTP forwarding http://myserver.com PLAINTEXT HTTP server signature - Server hostname IP-216-37-62-164.nframe.net

Xcode 7.3OSX 10.11.13Apple Swift 2.2 版

有人可以帮忙吗？

Answer 1

根据 ssllabs 报告:

1. 证书不受信任

2. 即使它是受信任的，该证书对于该域也是无效的

3. 服务器响应重定向(可能是 http 版本)