CFNetwork SSLHandshake失败iOS 9

Question

有任何人与iOS 9测试版1有此问题？

我使用标准的NSURLConnection连接到一个web服务，一旦对web服务进行调用，我会得到下面的错误。这目前正在使用iOS 8.3

可能的beta bug？任何想法或想法都会很棒！我知道它很早就在iOS版9发展

以下是完整的错误：

CFNetwork SSLHandshake failed (-9824) NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

NSURLRequest * urlRequest = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://mywebserviceurl"]]; 
     NSURLResponse * response = nil; 
     NSError * error = nil; 
     NSData * data = [NSURLConnection sendSynchronousRequest:urlRequest 
                returningResponse:&response 
                   error:&error]; 

Answer 1

的iOS 9和OSX 10.11需要TLSv1.2工作SSL所有主机您打算请求，除非你的数据在应用的Info.plist文件中指定异常域。

的Info.plist中配置的语法如下：

<key>NSAppTransportSecurity</key> 
<dict> 
    <key>NSExceptionDomains</key> 
    <dict> 
    <key>yourserver.com</key> 
    <dict> 
     <!--Include to allow subdomains--> 
     <key>NSIncludesSubdomains</key> 
     <true/> 
     <!--Include to allow insecure HTTP requests--> 
     <key>NSExceptionAllowsInsecureHTTPLoads</key> 
     <true/> 
     <!--Include to specify minimum TLS version--> 
     <key>NSExceptionMinimumTLSVersion</key> 
     <string>TLSv1.1</string> 
    </dict> 
    </dict> 
</dict> 

如果您的应用程序（第三方web浏览器，例如）需要连接到任意主机，可以配置它像这样：

<key>NSAppTransportSecurity</key> 
<dict> 
    <!--Connect to anything (this is probably BAD)--> 
    <key>NSAllowsArbitraryLoads</key> 
    <true/> 
</dict> 

如果你有这样做，它可能是最好更新您的服务器使用TLSv1.2工作和SSL，如果他们没有这样做。这应该被视为临时解决方法。

截至今日，预发布文档并未以任何特定方式提及任何这些配置选项。一旦完成，我会更新答案以链接到相关文档。

Answer 2

**对于iOS 10 BETA重要提示：**

在iOS系统10中，TLS串的形式必须是 “TLSv1.0” 的。它不能只是“1.0”。是的，这是非常愚蠢和破坏性的。欢迎来到iOS开发。

---

以上建议的组合如下。

假设您正尝试连接到仅具有TLS 1.0的主机（YOUR_HOST.COM）。

将这些添加到您的应用程序的信息。plist中

<key>NSAppTransportSecurity</key> 
<dict> 
    <key>NSExceptionDomains</key> 
    <dict> 
     <key>YOUR_HOST.COM</key> 
     <dict> 
      <key>NSIncludesSubdomains</key> 
      <true/> 
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key> 
      <true/> 
      <key>NSTemporaryExceptionMinimumTLSVersion</key> 
      <string>TLSv1.0</string> 
      <key>NSTemporaryExceptionRequiresForwardSecrecy</key> 
      <false/> 
     </dict> 
    </dict> 
</dict> 

Answer 3

欲了解更多信息Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11

Curiously, you’ll notice that the connection attempts to change the http protocol to https to protect against mistakes in your code where you may have accidentally misconfigured the URL. In some cases, this might actually work, but it’s also confusing.

这Shipping an App With App Transport Security包括一些很好的调试技巧

ATS故障

Most ATS failures will present as CFErrors with a code in the -9800 series. These are defined in the Security/SecureTransport.h header

2015-08-23 06:34:42.700 SelfSignedServerATSTest[3792:683731] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813) 

CFNETWORK_DIAGNOSTICS

Set the environment variable CFNETWORK_DIAGNOSTICS to 1 in order to get more information on the console about the failure

nscurl

The tool will run through several different combinations of ATS exceptions, trying a secure connection to the given host under each ATS configuration and reporting the result.

nscurl --ats-diagnostics https://example.com 

Answer 4

如果你的后端使用你开始使用NSURLSession

CFNetwork SSLHandshake failed (-9801) 
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801) 

为y的安全连接蚂蚁OU需要特别检查服务器配置以获得ATS版本和SSL证书信息：通过设置NSExceptionAllowsInsecureHTTPLoads = YES

而不是仅仅允许不安全的连接，而不是你需要允许的情况下，较低的安全您的服务器不符合分钟要求（v1.2）（或更好地修复服务器端）。

允许较低的安全在单台服务器

<key>NSExceptionDomains</key> 
<dict> 
    <key>api.yourDomaine.com</key> 
    <dict> 
     <key>NSExceptionMinimumTLSVersion</key> 
     <string>TLSv1.0</string> 
     <key>NSExceptionRequiresForwardSecrecy</key> 
     <false/> 
    </dict> 
</dict> 

使用OpenSSL客户调查证书和使用OpenSSL的客户端让你的服务器配置：

openssl s_client -connect api.yourDomaine.com:port //(you may need to specify port or to try with https://... or www.) 

..find末

SSL-Session: 
    Protocol : TLSv1 
    Cipher : AES256-SHA 
    Session-ID: // 
    Session-ID-ctx: 
    Master-Key: // 
    Key-Arg : None 
    Start Time: 1449693038 
    Timeout : 300 (sec) 
    Verify return code: 0 (ok) 

App Transpor t安全性（ATS）要求传输层安全性（TLS）协议版本1.2。

Requirements for Connecting Using ATS:

The requirements for a web service connection to use App Transport Security (ATS) involve the server, connection ciphers, and certificates, as follows:

Certificates must be signed with one of the following types of keys:

• Secure Hash Algorithm 2 (SHA-2) key with a digest length of at least 256 (that is, SHA-256 or greater)

• Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

• Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits An invalid certificate results in a hard failure and no connection.

The following connection ciphers support forward secrecy (FS) and work with ATS:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

更新：事实证明，OpenSSL的只提供最低限度的协议版本协议：使用TLSv1 links

Answer 5

的info.plist如下或只是复制&过去对我来说这个工作到iOS 9.2

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0"> 
    <dict> 
     <key>NSAppTransportSecurity</key> 
     <dict> 
      <key>NSAllowsArbitraryLoads</key> 
      <true/> 
     </dict> 

    <key>CFBundleDevelopmentRegion</key> 
    <string>en</string> 
    <key>CFBundleExecutable</key> 
    <string>$(EXECUTABLE_NAME)</string> 
    <key>CFBundleIdentifier</key> 
    <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> 
    <key>CFBundleInfoDictionaryVersion</key> 
    <string>6.0</string> 
    <key>CFBundleName</key> 
    <string>$(PRODUCT_NAME)</string> 
    <key>CFBundlePackageType</key> 
    <string>APPL</string> 
    <key>CFBundleShortVersionString</key> 
    <string>1.0</string> 
    <key>CFBundleSignature</key> 
    <string>????</string> 
    <key>CFBundleVersion</key> 
    <string>1.0</string> 
    <key>LSRequiresIPhoneOS</key> 
    <true/> 
    <key>UILaunchStoryboardName</key> 
    <string>LaunchScreen</string> 
    <key>UIMainStoryboardFile</key> 
    <string>Main</string> 
    <key>UIRequiredDeviceCapabilities</key> 
    <array> 
     <string>armv7</string> 
    </array> 
    <key>UISupportedInterfaceOrientations</key> 
    <array> 
     <string>UIInterfaceOrientationPortrait</string> 
     <string>UIInterfaceOrientationLandscapeLeft</string> 
     <string>UIInterfaceOrientationLandscapeRight</string> 
    </array> 
    <key>UISupportedInterfaceOrientations~ipad</key> 
    <array> 
     <string>UIInterfaceOrientationPortrait</string> 
     <string>UIInterfaceOrientationPortraitUpsideDown</string> 
     <string>UIInterfaceOrientationLandscapeLeft</string> 
     <string>UIInterfaceOrientationLandscapeRight</string> 
    </array> 
</dict> 
</plist> 

Answer 6

这个呃有时当我使用一辆马车/碰撞的科尔多瓦iOS版本时，ror会出现在日志中。当我升级或降级cordova iOS时，它就消失了。

我连接的服务器使用的是TLSv1。2 SSL，所以我知道这不是问题。

Answer 7

在项目.plist文件中添加此权限：

<key>NSAppTransportSecurity</key> 
<dict> 
    <!--Connect to anything (this is probably BAD)--> 
    <key>NSAllowsArbitraryLoads</key> 
    <true/> 
</dict> 

Answer 8

的Info.plist的配置语法

<key>NSAppTransportSecurity</key> 
    <dict> 
    <key>NSExceptionDomains</key> 
    <dict> 
    <key>yourserver.com</key> 
    <dict> 
    <!--Include to allow subdomains--> 
    <key>NSIncludesSubdomains</key> 
    <true/> 
    <!--Include to allow insecure HTTP requests--> 
    <key>NSExceptionAllowsInsecureHTTPLoads</key> 
    <true/> 
    <!--Include to specify minimum TLS version--> 
    <key>NSExceptionMinimumTLSVersion</key> 
    <string>TLSv1.1</string> 
    </dict> 
</dict> 

Answer 9

更新应答（-后WWDC 2016）：

iOS apps will require secure HTTPS connections by the end of 2016. Trying turn ATS off may get your app rejected in the future.

App Transport Security或ATS是Apple在iOS 9中引入的一项功能。启用ATS时，它会强制应用程序通过HTTPS连接而不是非安全HTTP连接到Web服务。

但是，开发人员仍然可以切换ATS，并允许他们的应用程序通过HTTP连接发送数据，如上述答案中所述。在2016年底，苹果将为所有希望将应用程序提交到App Store的开发者制作ATS强制。链接

Answer 10

另一个有用的工具是NMAP（BREW安装NMAP）

nmap --script ssl-enum-ciphers -p 443 google.com 

给出输出

Starting Nmap 7.12 (https://nmap.org) at 2016-08-11 17:25 IDT 
Nmap scan report for google.com (172.217.23.46) 
Host is up (0.061s latency). 
Other addresses for google.com (not scanned): 2a00:1450:4009:80a::200e 
PORT STATE SERVICE 
443/tcp open https 
| ssl-enum-ciphers: 
| TLSv1.0: 
|  ciphers: 
|  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: server 
| TLSv1.1: 
|  ciphers: 
|  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: server 
| TLSv1.2: 
|  ciphers: 
|  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A 
|  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A 
|  TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: client 
|_ least strength: C 

Nmap done: 1 IP address (1 host up) scanned in 5.48 seconds 

Answer 11

为什么使得它太complicated-

刚刚成立的iOS开发目标 - 8.0

而且为Cmd + Shift + K

Answer 12

后尝试和失败的两天里，什么工作对我来说是这个代码的womble

有一个变化，根据本post我们应该停止使用与关联的子关键字NSExceptionDomains该类公约的字典

NSTemporaryExceptionMinimumTLSVersion 

，并在新公约

NSExceptionMinimumTLSVersion 

改为使用。

apple documentation

我的代码

<key>NSAppTransportSecurity</key> 
    <dict> 
     <key>NSExceptionDomains</key> 
     <dict> 
      <key>YOUR_HOST.COM</key> 
      <dict> 
       <key>NSExceptionAllowsInsecureHTTPLoads</key> 
       <true/> 
       <key>NSExceptionMinimumTLSVersion</key> 
       <string>TLSv1.0</string> 
       <key>NSExceptionRequiresForwardSecrecy</key> 
       <false/> 
       <key>NSIncludesSubdomains</key> 
       <true/> 
      </dict> 
     </dict> 
    </dict> 

Answer 13

我在有错误的时间设定测试的设备。因此，当我尝试访问一个证书即将用完的页面时，它会拒绝访问，因为设备通过证书已过期。要修复，请在设备上设置适当的时间！