使用TLS 1.2使用SSL页面时,NSURLSession失败
我使用NSULConnection通过SSL向webservice发送数据。服务器使用通配符证书(*.mydomain.com)进行签名。该证书使用RES SHA256和TLS 1.2并由CA签名。我正尝试使用以下代码发送数据:
NSMutableURLRequest *req = [[NSMutableURLRequest alloc] init];
[req setTimeoutInterval:60];
[req setHTTPMethod:@"POST"];
// ... Set content type and add data to body ... //
[req setURL:@"https://subdomain.mydomain.com/service/"];
NSURLSession *session = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration defaultSessionConfiguration]];
NSLog(@"Starting Upload");
NSURLSessionDataTask *task = [session dataTaskWithRequest:req
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error){
// .. Handle Completion .. //
}];
[task resume];
当我运行上面的代码时,我得到以下输出。
CFNetwork SSLHandshake failed (-9801) NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
但没有运气让错误自行解决。然后,我切换到使用http而不是https,同时保留了上面解释的配置更改,它确实起作用了。然而,这远不是一个理想的解决方案。HTTP可以进行测试,但是这个应用程序将处理需要SSL的数据。如何使SSL工作?
编辑
以下是对我的服务url的https版本运行nscurl--ats-diagnostics的结果
================================================================================ Default ATS Secure Connection --- ATS Default Connection Result : PASS --- ================================================================================ Allowing Arbitrary Loads --- Allow All Loads Result : PASS --- ================================================================================ Configuring TLS exceptions for **** --- TLSv1.2 Result : PASS --- --- TLSv1.1 Result : PASS --- --- TLSv1.0 Result : PASS --- ================================================================================ Configuring PFS exceptions for **** --- Disabling Perfect Forward Secrecy Result : PASS --- ================================================================================ Configuring PFS exceptions and allowing insecure HTTP for **** --- Disabling Perfect Forward Secrecy and Allowing Insecure HTTP Result : PASS --- ================================================================================ Configuring TLS exceptions with PFS disabled for **** --- TLSv1.2 with PFS disabled Result : PASS --- --- TLSv1.1 with PFS disabled Result : PASS --- --- TLSv1.0 with PFS disabled Result : PASS --- ================================================================================ Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for **** --- TLSv1.2 with PFS disabled and insecure HTTP allowed Result : PASS --- --- TLSv1.1 with PFS disabled and insecure HTTP allowed Result : PASS --- --- TLSv1.0 with PFS disabled and insecure HTTP allowed Result : PASS --- ================================================================================
<dict>
<key>mydomain.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>1.0</string>
<key>NSTemporaryExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
* CAfile: /opt/local/share/curl/curl-ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384 * Server certificate: * subject: C=XXX; ST=XXX; L=XXX; O=XXX; CN=*.mydomain.com * start date: 2015-08-17 00:00:00 GMT * expire date: 2018-11-14 12:00:00 GMT * subjectAltName: subdomain.mydomain.com matched * issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA * SSL certificate verify ok.
OpenSSL s_client-connect的结果
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=XXX/ST=XXX/L=XXX/O=XXX/CN=*.mydomain.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
subject=/C=XXX/ST=XXX/L=XXX/O=XXX/CN=*.mydomain.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3033 bytes and written 490 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: XXX
Session-ID-ctx:
Master-Key: XXX
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1454971371
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
共有1个答案
这个答案挽救了我的一天!结果表明,ATS要求服务器必须支持此处cipher suite中列出的密码。我可以确认建议的修复是有效的。
-
问题内容: 有一个在Tomcat上运行的JDK7应用程序,它具有以下环境设置: 上面的设置可确保在进行API调用等操作时通过HTTPS连接时不使用TLS 1.0。 我们还使用org.springframework.mail.javamail。 JavaMailSenderImpl 类发送外发SMTP电子邮件,并使用以下道具: 问题是,当升级到TLS1.2时,与SMTP电子邮件服务器的连接失败。 j
-
我不熟悉Codeception,但在注入页面对象时遇到了一个问题。当我向页面对象添加以下构造逻辑时,就会出现问题。 ... 我从以下登录页面对象示例中获得:http://codeception.com/docs/06-ReusingTestCode#PageObjects 我得到的错误是: [Codeception\Exception\InjectionException]未能在“MyTest”实
-
我正在编写一个JMeter测试计划,以连接到SSL端口(Tomcat Connector)。在JDK8(1.8.0_51)上使用三个JMeter SSL客户端实现(HttpClient4、HttpClient3.1、Java)中的任何一个连接到SSL端口时,我会收到一个SSLHandshakeExc0019(handshake_failure)。如果我使用JDK7(1.7。0_75)-一切都像预期
-
问题内容: 如何让CodeIgniter使用SSL加载特定页面?我有一个apache2 / 服务器。使用与非安全页面不同的文档根目录。例如,https(端口443)服务的页面不多,http(端口80)服务的页面不多。我如何让CodeIgniter在此设置中表现出色? 问题答案: 解决此问题的方法很少。 选项1: 我可能会将代码部署到两个文件夹中,然后在文件:/system/application/
-
问题内容: 如何在Swift中将证书固定到NSURLSession? 该OWASP网站只包含Objective- C和NSURLConnection的一个例子。 问题答案: Swift 3+ 更新: 只需定义一个委托类并实现didReceiveChallenge函数( 此代码改编自Objective-c OWASP示例 ): (您可以在此处找到Swift 2 的Gist- 从初始答案开始) 然后使
-
问题内容: 我有一个NSURLSession调用dataTaskWithRequest以这种方式发送POST请求 响应等于: 我的问题是我不知道如何获取名称为MYCOOKIEIS的“ Set-Cookie”中的cookie。 我将在用户登录时使用它,因此,如果用户未登录->登录(调用登录api),否则请转到主屏幕并调用其他API。 有人可以帮助我从那里拿走饼干吗? 问题答案: Swift呈现形式可