xcode iOS 13 TLS 问题
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/58011737/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
iOS 13 TLS issue
提问by Dragisa Dragisic
I have installed iOS 13 beta version and run my framework which contains a lot of network requests, but I got this error:
我已经安装了 iOS 13 测试版并运行了包含大量网络请求的框架,但出现此错误:
2019-09-19 15:01:33.566811+0200 ---[395:25439] Connection 4: default TLS Trust evaluation failed(-9814)
2019-09-19 15:01:33.567022+0200 ---[395:25439] Connection 4: TLS Trust encountered error 3:-9814
2019-09-19 15:01:33.567110+0200 ---[395:25439] Connection 4: encountered error(3:-9814)
2019-09-19 15:01:33.569824+0200 ---[395:25439] Connection 4: unable to determine interface type without an established connection
2019-09-19 15:01:33.584952+0200 ---[395:25439] Task <D97FD611-0B48-4DCE-99C9-6A971E5E6524>.<4> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9814])
I tried to find out what cause that problem with no success. Can anyone help me?
我试图找出导致该问题的原因但没有成功。谁能帮我?
回答by Matteo Pacini
Apple has defined stricter rulesfor TLS server certificates, starting from iOS 13 and macOS 10.15.
从 iOS 13 和 macOS 10.15 开始,Apple为 TLS 服务器证书定义了更严格的规则。
All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:
TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
Additionally, all TLS server certificates issued after July 1, 2019(as indicated in the NotBefore field of the certificate) must follow these guidelines:
TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
TLS server certificates must have a validity period of 825 days or fewer(as expressed in the NotBefore and NotAfter fields of the certificate).
所有 TLS 服务器证书都必须符合 iOS 13 和 macOS 10.15 中的这些新安全要求:
TLS 服务器证书和使用 RSA 密钥的颁发 CA 必须使用大于或等于 2048 位的密钥大小。TLS 不再信任使用小于 2048 位的 RSA 密钥大小的证书。
TLS 服务器证书和颁发 CA 必须在签名算法中使用来自 SHA-2 系列的哈希算法。TLS 不再信任 SHA-1 签名证书。
TLS 服务器证书必须在证书的主题备用名称扩展中显示服务器的 DNS 名称。证书 CommonName 中的 DNS 名称不再受信任。
此外,2019 年 7 月 1 日之后颁发的所有 TLS 服务器证书(如证书的 NotBefore 字段中所示)必须遵循以下准则:
TLS 服务器证书必须包含一个包含 id-kp-serverAuth OID 的 ExtendedKeyUsage (EKU) 扩展。
TLS 服务器证书的有效期必须为 825 天或更短(如证书的 NotBefore 和 NotAfter 字段所示)。
And the final note:
最后一点:
Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.
违反这些新要求的 TLS 服务器连接将失败,并可能导致网络故障、应用程序失败以及网站无法在 iOS 13 和 macOS 10.15 的 Safari 中加载。
回答by Igor Kharakhordin
I'm going to add some additional information. To check that your certificate is valid you can open it in Keychain Access and check that it contains correct information:
我将添加一些额外的信息。要检查您的证书是否有效,您可以在 Keychain Access 中打开它并检查它是否包含正确的信息:
- It expires in less than 825 days;
- Signature algorithm isn't SHA-1 (SHA-256, probably);
- Public key size isn't smaller than 2048 bits;
- There's Extended Key Usage extension with "Server Authentication" purpose;
- There's Subject Alternative Name extension that contains server's DNS.
- 它在不到 825 天后到期;
- 签名算法不是 SHA-1(可能是 SHA-256);
- 公钥大小不小于2048位;
- 有具有“服务器身份验证”目的的扩展密钥用法扩展;
- 有包含服务器 DNS 的主题备用名称扩展。
Config example for OpenSSL:
OpenSSL 的配置示例:
[ ca ]
default_ca = CA_default
[ CA_default ]
default_md = sha256
default_days = 825
[ req ]
prompt = no
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = req_ext
[ req_distinguished_name ]
countryName = ...
stateOrProvinceName = ...
localityName = ...
organizationName = ...
commonName = google.com
[ req_ext ]
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = google.com
DNS.2 = www.google.com
To generate new key-certificate pair run this command:
要生成新的密钥证书对,请运行以下命令:
openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -out certificate.crt -days 825 -config config.cnf
