不能與ios9

Question

與iOS 9的改進的安全連接到https://test.salesforce.com我們是不是能夠連接到https://test.salesforce.com

我們得到

了基於SecureTransport

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) 

。 h的相關握手失敗

errSSLPeerHandshakeFail  = -9824, /* handshake failure */ 

我們可以禁用安全並仍然連接（使用NSAllowsArbitraryLoads），但我們更願意用新的更安全的IOS功能。

我們試圖破例只爲Salesforce的，但仍然得到同樣的錯誤

<key>NSExceptionDomains</key> 
    <dict> 
      <key>salesforce.com</key> 
      <dict> 
        <key>NSExceptionMinimumTLSVersion</key> 
        <string>TLSv1.0</string> 
        <key>NSExceptionRequiresForwardSecrecy</key> 
        <false/> 
        <key>NSIncludesSubdomains</key> 
        <true/> 
      </dict> 
    </dict> 

編輯（添加問題）：是什麼力量讓從iOS應用程序請求https://test.salesforce.com儘可能安全的最佳方式是什麼？ （我是否需要等待Salesforce更新他們的證書？還是有更多的東西在我的控制之下？）

Answer 1

要繼續執行例外的路徑，請嘗試將force.com添加到例外列表（而不是salesforce.com） 所以......添加爲另一個異常關鍵：

<key>NSExceptionDomains</key> 
    <dict> 
      <key>force.com</key> 
      <dict> 
        <key>NSExceptionMinimumTLSVersion</key> 
        <string>TLSv1.0</string> 
        <key>NSExceptionRequiresForwardSecrecy</key> 
        <false/> 
        <key>NSIncludesSubdomains</key> 
        <true/> 
      </dict> 
    </dict> 

我也等待一個更永久的解決方案。

Answer 2

我跑上的OAuth 2.0端點nscurl命令行實用程序（ROPC flow，沙箱環境）：

nscurl --ats-diagnostics --verbose https://test.salesforce.com/services/oauth2/token 

TL; DR：

我發現最安全的設置，將PASS如下：

<key>NSAppTransportSecurity</key> 
<dict> 
    <key>NSExceptionDomains</key> 
    <dict> 
     <key>salesforce.com</key> 
     <dict> 
      <key>NSIncludesSubdomains</key> 
      <true/> 
      <key>NSExceptionRequiresForwardSecrecy</key> 
      <false/> 
     </dict> 
    </dict> 
</dict> 

（無需降低所需的最低TLS版本此外，Salesforce的是dropping support for TLS 1.0）

的nscurl診斷的全部結果：

Starting ATS Diagnostics 

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://test.salesforce.com/services/oauth2/token. 
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error. 
================================================================================ 

Default ATS Secure Connection 
--- 
ATS Default Connection 
ATS Dictionary: 
{ 
} 
2016-06-17 10:49:21.533 nscurl[975:53055] CFNetwork SSLHandshake failed (-9824) 
2016-06-17 10:49:21.533 nscurl[975:53055] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) 
Result : FAIL 
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd67d100230 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://test.salesforce.com/services/oauth2/token, NSErrorFailingURLStringKey=https://test.salesforce.com/services/oauth2/token, _kCFStreamErrorDomainKey=3} 
--- 

================================================================================ 

Allowing Arbitrary Loads 

--- 
Allow All Loads 
ATS Dictionary: 
{ 
    NSAllowsArbitraryLoads = true; 
} 
Result : PASS 
--- 

================================================================================ 

Configuring TLS exceptions for test.salesforce.com 

--- 
TLSv1.2 
ATS Dictionary: 
{ 
    NSExceptionDomains =  { 
     "test.salesforce.com" =   { 
      NSExceptionMinimumTLSVersion = "TLSv1.2"; 
     }; 
    }; 
} 
2016-06-17 10:49:21.760 nscurl[975:53055] CFNetwork SSLHandshake failed (-9824) 
2016-06-17 10:49:21.760 nscurl[975:53055] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) 
Result : FAIL 
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd67d000aa0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://test.salesforce.com/services/oauth2/token, NSErrorFailingURLStringKey=https://test.salesforce.com/services/oauth2/token, _kCFStreamErrorDomainKey=3} 
--- 

--- 
TLSv1.1 
ATS Dictionary: 
{ 
    NSExceptionDomains =  { 
     "test.salesforce.com" =   { 
      NSExceptionMinimumTLSVersion = "TLSv1.1"; 
     }; 
    }; 
} 
2016-06-17 10:49:21.817 nscurl[975:53055] CFNetwork SSLHandshake failed (-9824) 
2016-06-17 10:49:21.817 nscurl[975:53055] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) 
Result : FAIL 
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd67b49bf10 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://test.salesforce.com/services/oauth2/token, NSErrorFailingURLStringKey=https://test.salesforce.com/services/oauth2/token, _kCFStreamErrorDomainKey=3} 
--- 

--- 
TLSv1.0 
ATS Dictionary: 
{ 
    NSExceptionDomains =  { 
     "test.salesforce.com" =   { 
      NSExceptionMinimumTLSVersion = "TLSv1.0"; 
     }; 
    }; 
} 
2016-06-17 10:49:21.878 nscurl[975:53055] CFNetwork SSLHandshake failed (-9824) 
2016-06-17 10:49:21.879 nscurl[975:53055] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) 
Result : FAIL 
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fd67d1002c0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://test.salesforce.com/services/oauth2/token, NSErrorFailingURLStringKey=https://test.salesforce.com/services/oauth2/token, _kCFStreamErrorDomainKey=3} 
--- 

================================================================================ 

Configuring PFS exceptions for test.salesforce.com 

--- 
Disabling Perfect Forward Secrecy 
ATS Dictionary: 
{ 
    NSExceptionDomains =  { 
     "test.salesforce.com" =   { 
      NSExceptionRequiresForwardSecrecy = false; 
     }; 
    }; 
} 
Result : PASS 
--- 

================================================================================ 

Configuring PFS exceptions and allowing insecure HTTP for test.salesforce.com 

--- 
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP 
ATS Dictionary: 
{ 
    NSExceptionDomains =  { 
     "test.salesforce.com" =   { 
      NSExceptionAllowsInsecureHTTPLoads = true; 
      NSExceptionRequiresForwardSecrecy = false; 
     }; 
    }; 
} 
Result : PASS 
--- 

================================================================================ 

Configuring TLS exceptions with PFS disabled for test.salesforce.com 

--- 
TLSv1.2 with PFS disabled 
ATS Dictionary: 
{ 
    NSExceptionDomains =  { 
     "test.salesforce.com" =   { 
      NSExceptionMinimumTLSVersion = "TLSv1.2"; 
      NSExceptionRequiresForwardSecrecy = false; 
     }; 
    }; 
} 
Result : PASS 
--- 

--- 
TLSv1.1 with PFS disabled 
ATS Dictionary: 
{ 
    NSExceptionDomains =  { 
     "test.salesforce.com" =   { 
      NSExceptionMinimumTLSVersion = "TLSv1.1"; 
      NSExceptionRequiresForwardSecrecy = false; 
     }; 
    }; 
} 
Result : PASS 
--- 

--- 
TLSv1.0 with PFS disabled 
ATS Dictionary: 
{ 
    NSExceptionDomains =  { 
     "test.salesforce.com" =   { 
      NSExceptionMinimumTLSVersion = "TLSv1.0"; 
      NSExceptionRequiresForwardSecrecy = false; 
     }; 
    }; 
} 
Result : PASS 
--- 

================================================================================ 

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for test.salesforce.com 

--- 
TLSv1.2 with PFS disabled and insecure HTTP allowed 
ATS Dictionary: 
{ 
    NSExceptionDomains =  { 
     "test.salesforce.com" =   { 
      NSExceptionAllowsInsecureHTTPLoads = true; 
      NSExceptionMinimumTLSVersion = "TLSv1.2"; 
      NSExceptionRequiresForwardSecrecy = false; 
     }; 
    }; 
} 
Result : PASS 
--- 

--- 
TLSv1.1 with PFS disabled and insecure HTTP allowed 
ATS Dictionary: 
{ 
    NSExceptionDomains =  { 
     "test.salesforce.com" =   { 
      NSExceptionAllowsInsecureHTTPLoads = true; 
      NSExceptionMinimumTLSVersion = "TLSv1.1"; 
      NSExceptionRequiresForwardSecrecy = false; 
     }; 
    }; 
} 
Result : PASS 
--- 

--- 
TLSv1.0 with PFS disabled and insecure HTTP allowed 
ATS Dictionary: 
{ 
    NSExceptionDomains =  { 
     "test.salesforce.com" =   { 
      NSExceptionAllowsInsecureHTTPLoads = true; 
      NSExceptionMinimumTLSVersion = "TLSv1.0"; 
      NSExceptionRequiresForwardSecrecy = false; 
     }; 
    }; 
} 
Result : PASS 
--- 

================================================================================