支持服务器的 iOS 9 ATS SSL 错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31231696/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
iOS 9 ATS SSL error with supporting server
提问by YogevSitton
I installed Xcode 7 and tried running my app under iOS 9.
I'm getting the infamous error: Connection failed! Error - -1200 An SSL error has occurred and a secure connection to the server cannot be made.The thing is my server DOES support TLSv1.2 and I'm using NSURLSession.
我安装了 Xcode 7 并尝试在 iOS 9 下运行我的应用程序。我收到了臭名昭著的错误:Connection failed! Error - -1200 An SSL error has occurred and a secure connection to the server cannot be made.问题是我的服务器确实支持 TLSv1.2 并且我正在使用NSURLSession.
What could be the problem then?
那可能是什么问题呢?
回答by YogevSitton
Apple has released the full requirements list for the App Transport Security.
Apple 已经发布了App Transport Security的完整要求列表。
Turned out that we were working with TLS v1.2 but were missing some of the other requirements.
原来我们正在使用 TLS v1.2,但缺少一些其他要求。
Here's the full check list:
这是完整的检查清单:
- TLS requires at least version 1.2.
- Connection ciphers are limited to those that provide forward secrecy (see below for the list of ciphers.)
- The service requires a certificate using at least a SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key.
- Invalid certificates result in a hard failure and no connection.
- TLS 至少需要 1.2 版。
- 连接密码仅限于提供前向保密的密码(请参阅下面的密码列表。)
- 该服务需要至少使用 SHA256 指纹和 2048 位或更高的 RSA 密钥,或者 256 位或更高的椭圆曲线 (ECC) 密钥的证书。
- 无效的证书会导致硬故障和无连接。
The accepted ciphers are:
接受的密码是:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
回答by Nilesh Patel
In iOS9, Apple added new feature called App Transport Security(ATS).
在 iOS9 中,Apple 添加了名为 App Transport Security (ATS) 的新功能。
ATS enforces best practices during network calls, including the use of HTTPS.
ATS 在网络调用期间实施最佳实践,包括使用 HTTPS。
Apple Pre-release documentation:
Apple 预发布文档:
ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you're creating a new app or updating an existing one.
If you're developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.
ATS 可防止意外泄露,提供安全的默认行为,并且易于采用。无论您是创建新应用还是更新现有应用,都应尽快采用 ATS。
如果您正在开发新应用程序,则应专门使用 HTTPS。如果你有一个现有的应用程序,你现在应该尽可能多地使用 HTTPS,并尽快制定迁移应用程序其余部分的计划。
Add Below key in your info.plist & then see.
在您的 info.plist 中添加以下键,然后查看。
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Even you can add specific exception,
甚至你可以添加特定的例外,
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>testdomain.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<false/>
<key>NSExceptionAllowInsecureHTTPSLoads</key>
<false/>
<key>NSExceptionRequiresForwardSecrecy</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSThirdPartyExceptionAllowInsecureHTTPSLoads</key>
<false/>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<true/>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSRequiresCertificateTransparency</key>
<false/>
</dict>
...
</dict>
</dict>
回答by user5082751
Check out this docthat apple provided.
查看苹果提供的这个文档。
I had a similar issue at runtime on iOS 9 and what I did to fix it was added the NSAppTransportSecurityDictionary to my info.plistfile with the NSAllowsArbitraryLoadsBoolset to trueand after cleaning and rebuilding it worked.
我在运行时在 iOS 9 上遇到了类似的问题,我为修复它所做的是将NSAppTransportSecurity字典添加到我的info.plist文件中,并在清理和重建后将其NSAllowsArbitraryLoadsBool设置为true有效。
I hope this helps!
我希望这有帮助!
回答by Nagarjun
For me proxy was blocking try to use internet from different source will resolve issue. Wifi, Lan, etc.
对我来说,代理阻止尝试使用来自不同来源的互联网将解决问题。Wifi、局域网等
回答by Rainer Keller
With iOS9, I had a same issue: while SSLlabresult showed no issues with protocols / ciphers on my server, a connection to one specific URL failed on an iPad running iOS/9.3.5 with an SSL-Error:
使用 iOS9,我遇到了同样的问题:虽然SSLlab结果显示我的服务器上的协议/密码没有问题,但在运行 iOS/9.3.5 的 iPad 上连接到一个特定 URL 失败并出现 SSL 错误:
Connection cannot be established.
My stupid mistake was, that I had a redirect, i.e. in NGINX (and similar in Apache):
我的愚蠢错误是,我有一个重定向,即在 NGINX(和 Apache 中类似):
rewrite /calendar $scheme://www.example.org/resources/calendar;
If the user accessed /calenderby setting:
如果用户/calender通过设置访问:
https://example.org/calendar
the server redirected to another domain breaking the establishment of the SSL-connection.
服务器重定向到另一个域,破坏了 SSL 连接的建立。
Setting the redirect as follows fixed it:
设置重定向如下修复它:
rewrite /calendar $scheme://$server_name/resources/calendar;
