gpt4 book ai didi

ios - NSURLSession 因使用 TLS 1.2 的 SSL 页面而失败

转载 作者:太空宇宙 更新时间:2023-11-03 14:50:03 27 4
gpt4 key购买 nike

我正在使用 NSULConnection 通过 SSL 将数据发送到网络服务。服务器使用通配符证书 (*.mydomain.com) 签名。该证书使用 RES SHA256 和 TLS 1.2 并由 CA 签名。我正在尝试使用以下代码发送我的数据:

NSMutableURLRequest *req = [[NSMutableURLRequest alloc] init];
[req setTimeoutInterval:60];
[req setHTTPMethod:@"POST"];
// ... Set content type and add data to body ... //

[req setURL:@"https://subdomain.mydomain.com/service/"];
NSURLSession *session = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration defaultSessionConfiguration]];
NSLog(@"Starting Upload");
NSURLSessionDataTask *task = [session dataTaskWithRequest:req
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error){
// .. Handle Completion .. //
}];

[task resume];

当我运行上面的代码时,我得到以下输出。

CFNetwork SSLHandshake failed (-9801) NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

So, I tried adding the exceptions explained in this post: CFNetwork SSLHandshake failed iOS 9

But had no luck in getting the error to resolve itself. I then switched to using http instead of https, while leaving in the configuration changes explained above and it did work. However, that is far from an ideal solution. The http is fine for testing, but this app will be handling data where SSL is required. How can I get the SSL working?

Edit

Here are the results of running nscurl --ats-diagnostics on the https version of my service url

================================================================================Default ATS Secure Connection---ATS Default ConnectionResult : PASS---================================================================================Allowing Arbitrary Loads---Allow All LoadsResult : PASS---================================================================================Configuring TLS exceptions for ****---TLSv1.2Result : PASS------TLSv1.1Result : PASS------TLSv1.0Result : PASS---================================================================================Configuring PFS exceptions for ****---Disabling Perfect Forward SecrecyResult : PASS---================================================================================Configuring PFS exceptions and allowing insecure HTTP for ****---Disabling Perfect Forward Secrecy and Allowing Insecure HTTPResult : PASS---================================================================================Configuring TLS exceptions with PFS disabled for ****---TLSv1.2 with PFS disabledResult : PASS------TLSv1.1 with PFS disabledResult : PASS------TLSv1.0 with PFS disabledResult : PASS---================================================================================Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for ****---TLSv1.2 with PFS disabled and insecure HTTP allowedResult : PASS------TLSv1.1 with PFS disabled and insecure HTTP allowedResult : PASS------TLSv1.0 with PFS disabled and insecure HTTP allowedResult : PASS---================================================================================ 

Edit 2

Here are the exceptions I added:

<dict>
<key>mydomain.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>1.0</string>
<key>NSTemporaryExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>

curl -v的结果

*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt  CApath: none* SSLv3, TLS handshake, Client hello (1):* SSLv3, TLS handshake, Server hello (2):* SSLv3, TLS handshake, CERT (11):* SSLv3, TLS handshake, Server key exchange (12):* SSLv3, TLS handshake, Server finished (14):* SSLv3, TLS handshake, Client key exchange (16):* SSLv3, TLS change cipher, Client hello (1):* SSLv3, TLS handshake, Finished (20):* SSLv3, TLS change cipher, Client hello (1):* SSLv3, TLS handshake, Finished (20):* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384* Server certificate:*    subject: C=XXX; ST=XXX; L=XXX; O=XXX; CN=*.mydomain.com*    start date: 2015-08-17 00:00:00 GMT*    expire date: 2018-11-14 12:00:00 GMT*    subjectAltName: subdomain.mydomain.com matched*    issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA*    SSL certificate verify ok.

openssl s_client -connect 的结果

CONNECTED(00000003)depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CAverify error:num=20:unable to get local issuer certificateverify return:0---Certificate chain 0 s:/C=XXX/ST=XXX/L=XXX/O=XXX/CN=*.mydomain.com   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA---Server certificate-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----subject=/C=XXX/ST=XXX/L=XXX/O=XXX/CN=*.mydomain.comissuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA---No client certificate CA names sent---SSL handshake has read 3033 bytes and written 490 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONESSL-Session:    Protocol  : TLSv1.2    Cipher    : ECDHE-RSA-AES256-SHA384    Session-ID: XXX    Session-ID-ctx:     Master-Key: XXX    Key-Arg   : None    PSK identity: None    PSK identity hint: None    SRP username: None    Start Time: 1454971371    Timeout   : 300 (sec)    Verify return code: 20 (unable to get local issuer certificate)---

最佳答案

answer拯救了我的一天!事实证明,ATS 要求服务器必须支持密码套件中列出的密码 here .我可以确认建议的修复有效。

关于ios - NSURLSession 因使用 TLS 1.2 的 SSL 页面而失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35280204/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com