iOS 11、12 和 13 安装的证书不受自动信任(自签名)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/44952985/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
iOS 11, 12, and 13 installed certificates not trusted automatically (self signed)
提问by MattP
On our internal network, we use a self-signed CA certificate. This has worked fine for years, in both Safari and our iOS product, all the way through iOS 10. We simply install the CA certificate on any new device or simulator and everything works, even with ATS. This allows access to all of our internal test servers without having to trust each server individually.
在我们的内部网络上,我们使用自签名 CA 证书。多年来,这在 Safari 和我们的 iOS 产品中一直运行良好,一直到 iOS 10。我们只需在任何新设备或模拟器上安装 CA 证书,一切正常,即使使用 ATS。这允许访问我们所有的内部测试服务器,而无需单独信任每个服务器。
Starting with iOS 11 the installed CA certificate no longer allows Safari or our app to trust the certificate for any of the servers. We receive the following relevant details with CFNETWORK_DIAGNOSTICSenabled for our app:
从 iOS 11 开始,安装的 CA 证书不再允许 Safari 或我们的应用程序信任任何服务器的证书。我们收到以下相关详细信息,并CFNETWORK_DIAGNOSTICS为我们的应用程序启用:
Error Domain=kCFErrorDomainCFNetwork Code=-1200
_kCFNetworkCFStreamSSLErrorOriginalValue=-9802
_kCFStreamErrorDomainKey=3
_kCFStreamErrorCodeKey=-9802
NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.
NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?
错误域=kCFErrorDomainCFNetwork 代码= -1200
_kCFNetworkCFStreamSSLErrorOriginalValue= -9802
_kCFStreamErrorDomainKey= 3
_kCFStreamErrorCodeKey= -9802
NSLocalizedDescription=发生SSL 错误并且无法建立到服务器的安全连接。
NSLocalizedRecoverySuggestion=您仍要连接到服务器吗?
I spent considerable time trying to resolve this issue, scouring StackOverflow and the rest of the web. Although we use AFNetworking in our app, that seems to be irrelevant, as Safari no longer trusts these servers via the CA. Disabling ATS via NSAllowsArbitraryLoadsallows access to the servers, but obviously isn't a solution.
我花了大量时间试图解决这个问题,搜索 StackOverflow 和网络的其余部分。尽管我们在我们的应用程序中使用了 AFNetworking,但这似乎无关紧要,因为 Safari 不再通过 CA 信任这些服务器。禁用 ATS viaNSAllowsArbitraryLoads允许访问服务器,但显然不是解决方案。
No changes have been made to our -URLSession:didReceiveChallenge:completionHandlercode, and we have a proper (worked for years) implementation of challenge response via challenge.protectionSpace.serverTrust.
没有对我们的-URLSession:didReceiveChallenge:completionHandler代码进行任何更改,并且我们通过challenge.protectionSpace.serverTrust.
I have re-evaluated and tested both the CA and server certificates every way I can think of, and they work everywhere except iOS 11. What might have changed in ATS for iOS 11 that could cause this issue?
我已经用我能想到的各种方式重新评估和测试了 CA 和服务器证书,它们在除 iOS 11 之外的任何地方都可以使用。 iOS 11 的 ATS 中哪些可能会导致此问题?
回答by MattP
While writing this question, I discovered the answer. Installing a CA from Safari no longer automatically trusts it. I had to manually trust it from the Certificate Trust Settings panel (also mentioned in this question).
在写这个问题时,我发现了答案。从 Safari 安装 CA 不再自动信任它。我必须从证书信任设置面板手动信任它(也在这个问题中提到)。
I debated canceling the question, but I thought it might be helpful to have some of the relevant code and log details someone might be looking for. Also, I never encountered the issue until iOS 11. I even went back and reconfirmed that it automatically works up through iOS 10.
我曾讨论取消这个问题,但我认为拥有一些可能正在寻找的相关代码和日志详细信息可能会有所帮助。此外,我在 iOS 11 之前从未遇到过这个问题。我什至回过头来再次确认它可以通过 iOS 10 自动运行。
I've never needed to touch that settings panel before, because any installed certificates were automatically trusted. Maybe it will change by the time iOS 11 ships, but I doubt it. Hopefully this helps save someone the time I wasted.
我以前从不需要触摸那个设置面板,因为任何安装的证书都是自动信任的。也许它会在 iOS 11 发布时发生变化,但我对此表示怀疑。希望这有助于节省我浪费的时间。
If anyone knows why this behaves differently for some people on different versions of iOS, I'd love to know in comments.
如果有人知道为什么某些人在不同版本的 iOS 上会有不同的表现,我很想在评论中知道。
Update 1: Checking out the first iOS 12 beta, it looks like things remain the same. This question/answer/comments are still relevant on iOS 12.
更新 1:查看第一个 iOS 12 测试版,看起来事情保持不变。此问题/答案/评论在 iOS 12 上仍然相关。
Update 2: Same solution seems to be needed on iOS 13 beta builds as well.
更新 2:iOS 13 beta 版本似乎也需要相同的解决方案。
回答by Michal Cichon
Recommended solution is to install and trust a self-signed certificate (root). Assuming you created your own CA and the hierarchy of the certificated is correct you don't need to change the server trust evaluation. This is recommended because it doesn't require any changes in the code.
推荐的解决方案是安装并信任自签名证书(根)。假设您创建了自己的 CA 并且证书的层次结构是正确的,您不需要更改服务器信任评估。建议这样做,因为它不需要对代码进行任何更改。
- Generate CA and the certificates (you can use openssl: Generating CA and self-signed certificates.
- Install root certificate (*.cer file) on the device - you can open it by Safari and it should redirect you to Settings
- When the certificated is installed, go to Certificate Trust Settings (Settings > General > About > Certificate Trust Settings) as in MattP answer.
- 生成 CA 和证书(您可以使用 openssl:生成 CA 和自签名证书。
- 在设备上安装根证书(*.cer 文件) - 您可以通过 Safari 打开它,它应该将您重定向到“设置”
- 安装证书后,转到证书信任设置(设置 > 常规 > 关于 > 证书信任设置),如 MattP 答案中所示。
If it is not possible then you need to change server trust evaluation.
如果不可能,那么您需要更改服务器信任评估。
More info in this document: Technical Q&A QA1948 HTTPS and Test Servers
本文档中的更多信息:技术问答 QA1948 HTTPS 和测试服务器
回答by David Johnston
This has happened to me also, after undating to IOS11 on my iPhone. When I try to connect to the corporate network it bring up the corporate cert and says it isn't trusted. I press the 'trust' button and the connection fails and the cert does not appear in the trusted certs list.
这也发生在我身上,在我的 iPhone 上更新到 IOS11 之后。当我尝试连接到公司网络时,它会显示公司证书并说它不受信任。我按下“信任”按钮,连接失败,证书没有出现在受信任的证书列表中。
回答by Juan Rangel
I've been struggling with this for 3 days now while attempting to connect to a local API running Laravel valet. I finally figured it out. In my case I had to drag and drop over the LaravelValetCASelfSigned.pem file from ~/.config/valet/CA/LaravelValetCASelfSigned.pem
在尝试连接到运行 Laravel 代客的本地 API 时,我已经为此苦苦挣扎了 3 天。我终于弄明白了。在我的情况下,我不得不拖放 LaravelValetCASelfSigned.pem 文件从~/.config/valet/CA/LaravelValetCASelfSigned.pem
After verifying the installing within the simulator I had to go to Settings > About > Certificate Trust Settings > and Enable the Laravel Valet VA Self Signed CN
在模拟器中验证安装后,我必须转到设置 > 关于 > 证书信任设置 > 并启用 Laravel Valet VA 自签名 CN
Finally working!!!
终于上班了!!!
回答by Stoull
Apple hand three categories of certificates: Trusted, Always Askand Blocked. You'll encounter the issue if your certificate's type on the Blockedand Always Asklist. On Safari it show's like:
苹果手上有三类证书:Trusted,Always Ask和Blocked. 如果您的证书类型在Blocked和Always Ask列表中,您将遇到此问题。在 Safari 上,它显示如下:
And you can find the type of Always Askcertificates on Settings > General > About > Certificate Trust Setting
您可以Always Ask在“设置”>“通用”>“关于”>“证书信任设置”中找到证书类型
There is the List of available trusted root certificates in iOS 11
回答by DustinB
If you are not seeing the certificate under General->About->Certificate Trust Settings, then you probably do not have the ROOT CA installed. Very important -- needs to be a ROOT CA, not an intermediary CA.
如果您在 General->About->Certificate Trust Settings 下没有看到证书,那么您可能没有安装 ROOT CA。非常重要——需要是根 CA,而不是中间 CA。
I just answered a question here explaining how to obtain the ROOT CA and get things to show up: How to install self-signed certificates in iOS 11
我刚刚在这里回答了一个问题,解释了如何获取 ROOT CA 并显示内容:如何在 iOS 11 中安装自签名证书
回答by dalibor983
I follow all recommendations and all requirements. I install my self signed root CA on my iPhone. I make it trusted. I put certificate signed with this root CA on my local development server and I still get certificated error on safari iOS. Working on all other platforms.
我遵循所有建议和所有要求。我在我的 iPhone 上安装了我的自签名根 CA。我让它值得信赖。我将使用此根 CA 签名的证书放在我的本地开发服务器上,但在 safari iOS 上我仍然收到证书错误。在所有其他平台上工作。
