CFNetwork SSLHandshake失敗iOS 9

Question

有任何人與iOS 9測試版1有此問題？

我使用標準的NSURLConnection連接到一個web服務，一旦對web服務進行調用，我會得到下面的錯誤。這目前正在使用iOS 8.3

可能的beta bug？任何想法或想法都會很棒！我知道它很早就在iOS版9發展

以下是完整的錯誤：

CFNetwork SSLHandshake failed (-9824) NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

NSURLRequest * urlRequest = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://mywebserviceurl"]]; 
     NSURLResponse * response = nil; 
     NSError * error = nil; 
     NSData * data = [NSURLConnection sendSynchronousRequest:urlRequest 
                returningResponse:&response 
                   error:&error]; 

Answer 1

的iOS 9和OSX 10.11需要TLSv1.2工作SSL所有主機您打算請求，除非你的數據在應用的Info.plist文件中指定異常域。

的Info.plist中配置的語法如下：

<key>NSAppTransportSecurity</key> 
<dict> 
    <key>NSExceptionDomains</key> 
    <dict> 
    <key>yourserver.com</key> 
    <dict> 
     <!--Include to allow subdomains--> 
     <key>NSIncludesSubdomains</key> 
     <true/> 
     <!--Include to allow insecure HTTP requests--> 
     <key>NSExceptionAllowsInsecureHTTPLoads</key> 
     <true/> 
     <!--Include to specify minimum TLS version--> 
     <key>NSExceptionMinimumTLSVersion</key> 
     <string>TLSv1.1</string> 
    </dict> 
    </dict> 
</dict> 

如果您的應用程序（第三方web瀏覽器，例如）需要連接到任意主機，可以配置它像這樣：

<key>NSAppTransportSecurity</key> 
<dict> 
    <!--Connect to anything (this is probably BAD)--> 
    <key>NSAllowsArbitraryLoads</key> 
    <true/> 
</dict> 

如果你有這樣做，它可能是最好更新您的服務器使用TLSv1.2工作和SSL，如果他們沒有這樣做。這應該被視爲臨時解決方法。

截至今日，預發佈文檔並未以任何特定方式提及任何這些配置選項。一旦完成，我會更新答案以鏈接到相關文檔。

Answer 2

**對於iOS 10 BETA重要提示：**

在iOS系統10中，TLS串的形式必須是 「TLSv1.0」 的。它不能只是「1.0」。是的，這是非常愚蠢和破壞性的。歡迎來到iOS開發。

---

以上建議的組合如下。

假設您正嘗試連接到僅具有TLS 1.0的主機（YOUR_HOST.COM）。

將這些添加到您的應用程序的信息。plist中

<key>NSAppTransportSecurity</key> 
<dict> 
    <key>NSExceptionDomains</key> 
    <dict> 
     <key>YOUR_HOST.COM</key> 
     <dict> 
      <key>NSIncludesSubdomains</key> 
      <true/> 
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key> 
      <true/> 
      <key>NSTemporaryExceptionMinimumTLSVersion</key> 
      <string>TLSv1.0</string> 
      <key>NSTemporaryExceptionRequiresForwardSecrecy</key> 
      <false/> 
     </dict> 
    </dict> 
</dict> 

Answer 3

欲瞭解更多信息Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11

Curiously, you’ll notice that the connection attempts to change the http protocol to https to protect against mistakes in your code where you may have accidentally misconfigured the URL. In some cases, this might actually work, but it’s also confusing.

這Shipping an App With App Transport Security包括一些很好的調試技巧

ATS故障

Most ATS failures will present as CFErrors with a code in the -9800 series. These are defined in the Security/SecureTransport.h header

2015-08-23 06:34:42.700 SelfSignedServerATSTest[3792:683731] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813) 

CFNETWORK_DIAGNOSTICS

Set the environment variable CFNETWORK_DIAGNOSTICS to 1 in order to get more information on the console about the failure

nscurl

The tool will run through several different combinations of ATS exceptions, trying a secure connection to the given host under each ATS configuration and reporting the result.

nscurl --ats-diagnostics https://example.com 

Answer 4

如果你的後端使用你開始使用NSURLSession

CFNetwork SSLHandshake failed (-9801) 
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801) 

爲y的安全連接螞蟻OU需要特別檢查服務器配置以獲得ATS版本和SSL證書信息：通過設置NSExceptionAllowsInsecureHTTPLoads = YES

而不是僅僅允許不安全的連接，而不是你需要允許的情況下，較低的安全您的服務器不符合分鐘要求（v1.2）（或更好地修復服務器端）。

允許較低的安全在單臺服務器

<key>NSExceptionDomains</key> 
<dict> 
    <key>api.yourDomaine.com</key> 
    <dict> 
     <key>NSExceptionMinimumTLSVersion</key> 
     <string>TLSv1.0</string> 
     <key>NSExceptionRequiresForwardSecrecy</key> 
     <false/> 
    </dict> 
</dict> 

使用OpenSSL客戶調查證書和使用OpenSSL的客戶端讓你的服務器配置：

openssl s_client -connect api.yourDomaine.com:port //(you may need to specify port or to try with https://... or www.) 

..find末

SSL-Session: 
    Protocol : TLSv1 
    Cipher : AES256-SHA 
    Session-ID: // 
    Session-ID-ctx: 
    Master-Key: // 
    Key-Arg : None 
    Start Time: 1449693038 
    Timeout : 300 (sec) 
    Verify return code: 0 (ok) 

App Transpor t安全性（ATS）要求傳輸層安全性（TLS）協議版本1.2。

Requirements for Connecting Using ATS:

The requirements for a web service connection to use App Transport Security (ATS) involve the server, connection ciphers, and certificates, as follows:

Certificates must be signed with one of the following types of keys:

• Secure Hash Algorithm 2 (SHA-2) key with a digest length of at least 256 (that is, SHA-256 or greater)

• Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

• Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits An invalid certificate results in a hard failure and no connection.

The following connection ciphers support forward secrecy (FS) and work with ATS:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

更新：事實證明，OpenSSL的只提供最低限度的協議版本協議：使用TLSv1 links

Answer 5

的info.plist如下或只是複製&過去對我來說這個工作到iOS 9.2

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0"> 
    <dict> 
     <key>NSAppTransportSecurity</key> 
     <dict> 
      <key>NSAllowsArbitraryLoads</key> 
      <true/> 
     </dict> 

    <key>CFBundleDevelopmentRegion</key> 
    <string>en</string> 
    <key>CFBundleExecutable</key> 
    <string>$(EXECUTABLE_NAME)</string> 
    <key>CFBundleIdentifier</key> 
    <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> 
    <key>CFBundleInfoDictionaryVersion</key> 
    <string>6.0</string> 
    <key>CFBundleName</key> 
    <string>$(PRODUCT_NAME)</string> 
    <key>CFBundlePackageType</key> 
    <string>APPL</string> 
    <key>CFBundleShortVersionString</key> 
    <string>1.0</string> 
    <key>CFBundleSignature</key> 
    <string>????</string> 
    <key>CFBundleVersion</key> 
    <string>1.0</string> 
    <key>LSRequiresIPhoneOS</key> 
    <true/> 
    <key>UILaunchStoryboardName</key> 
    <string>LaunchScreen</string> 
    <key>UIMainStoryboardFile</key> 
    <string>Main</string> 
    <key>UIRequiredDeviceCapabilities</key> 
    <array> 
     <string>armv7</string> 
    </array> 
    <key>UISupportedInterfaceOrientations</key> 
    <array> 
     <string>UIInterfaceOrientationPortrait</string> 
     <string>UIInterfaceOrientationLandscapeLeft</string> 
     <string>UIInterfaceOrientationLandscapeRight</string> 
    </array> 
    <key>UISupportedInterfaceOrientations~ipad</key> 
    <array> 
     <string>UIInterfaceOrientationPortrait</string> 
     <string>UIInterfaceOrientationPortraitUpsideDown</string> 
     <string>UIInterfaceOrientationLandscapeLeft</string> 
     <string>UIInterfaceOrientationLandscapeRight</string> 
    </array> 
</dict> 
</plist> 

Answer 6

這個呃有時當我使用一輛馬車/碰撞的科爾多瓦iOS版本時，ror會出現在日誌中。當我升級或降級cordova iOS時，它就消失了。

我連接的服務器使用的是TLSv1。2 SSL，所以我知道這不是問題。

Answer 7

在項目.plist文件中添加此權限：

<key>NSAppTransportSecurity</key> 
<dict> 
    <!--Connect to anything (this is probably BAD)--> 
    <key>NSAllowsArbitraryLoads</key> 
    <true/> 
</dict> 

Answer 8

的Info.plist的配置語法

<key>NSAppTransportSecurity</key> 
    <dict> 
    <key>NSExceptionDomains</key> 
    <dict> 
    <key>yourserver.com</key> 
    <dict> 
    <!--Include to allow subdomains--> 
    <key>NSIncludesSubdomains</key> 
    <true/> 
    <!--Include to allow insecure HTTP requests--> 
    <key>NSExceptionAllowsInsecureHTTPLoads</key> 
    <true/> 
    <!--Include to specify minimum TLS version--> 
    <key>NSExceptionMinimumTLSVersion</key> 
    <string>TLSv1.1</string> 
    </dict> 
</dict> 

Answer 9

更新應答（-後WWDC 2016）：

iOS apps will require secure HTTPS connections by the end of 2016. Trying turn ATS off may get your app rejected in the future.

App Transport Security或ATS是Apple在iOS 9中引入的一項功能。啓用ATS時，它會強制應用程序通過HTTPS連接而不是非安全HTTP連接到Web服務。

但是，開發人員仍然可以切換ATS，並允許他們的應用程序通過HTTP連接發送數據，如上述答案中所述。在2016年底，蘋果將爲所有希望將應用程序提交到App Store的開發者製作ATS強制。鏈接

Answer 10

另一個有用的工具是NMAP（BREW安裝NMAP）

nmap --script ssl-enum-ciphers -p 443 google.com 

給出輸出

Starting Nmap 7.12 (https://nmap.org) at 2016-08-11 17:25 IDT 
Nmap scan report for google.com (172.217.23.46) 
Host is up (0.061s latency). 
Other addresses for google.com (not scanned): 2a00:1450:4009:80a::200e 
PORT STATE SERVICE 
443/tcp open https 
| ssl-enum-ciphers: 
| TLSv1.0: 
|  ciphers: 
|  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: server 
| TLSv1.1: 
|  ciphers: 
|  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: server 
| TLSv1.2: 
|  ciphers: 
|  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A 
|  TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: client 
|_ least strength: C 

Nmap done: 1 IP address (1 host up) scanned in 5.48 seconds 

Answer 11

爲什麼使得它太complicated-

剛剛成立的iOS開發目標 - 8.0

而且爲Cmd + Shift + K

Answer 12

後嘗試和失敗的兩天裏，什麼工作對我來說是這個代碼的womble

有一個變化，根據本post我們應該停止使用與關聯的子關鍵字NSExceptionDomains該類公約的字典

NSTemporaryExceptionMinimumTLSVersion 

，並在新公約

NSExceptionMinimumTLSVersion 

改爲使用。

apple documentation

我的代碼

<key>NSAppTransportSecurity</key> 
    <dict> 
     <key>NSExceptionDomains</key> 
     <dict> 
      <key>YOUR_HOST.COM</key> 
      <dict> 
       <key>NSExceptionAllowsInsecureHTTPLoads</key> 
       <true/> 
       <key>NSExceptionMinimumTLSVersion</key> 
       <string>TLSv1.0</string> 
       <key>NSExceptionRequiresForwardSecrecy</key> 
       <false/> 
       <key>NSIncludesSubdomains</key> 
       <true/> 
      </dict> 
     </dict> 
    </dict> 

Answer 13

我在有錯誤的時間設定測試的設備。因此，當我嘗試訪問一個證書即將用完的頁面時，它會拒絕訪問，因爲設備通過證書已過期。要修復，請在設備上設置適當的時間！