发表新帖
发表新帖

CFNetwork SSLHandshake failed iOS 9

后端 未结
关注
11 1218
面向向阳花
面向向阳花 2020-11-22 09:38

has anyone with the iOS 9 beta 1 had this issue?

I use standard NSURLConnection to connect to a webservice and as soon as a call is made to the webservice i get th

11条回答
  • 臣服心动
    臣服心动 (楼主)
    2020-11-22 10:16

    If your backend uses a secure connection ant you get using NSURLSession

    CFNetwork SSLHandshake failed (-9801)
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

    you need to check your server configuration especially to get ATS version and SSL certificate Info:

    Instead of just Allowing Insecure Connection by setting NSExceptionAllowsInsecureHTTPLoads = YES , instead you need to Allow Lowered Security in case your server do not meet the min requirement (v1.2) for ATS (or better to fix server side).

    Allowing Lowered Security to a Single Server

    NSExceptionDomains

    api.yourDomaine.com
    
        NSExceptionMinimumTLSVersion
        TLSv1.0
        NSExceptionRequiresForwardSecrecy

    use openssl client to investigate certificate and get your server configuration using openssl client :

    openssl s_client  -connect api.yourDomaine.com:port //(you may need to specify port or  to try with https://... or www.)

    ..find at the end

    SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: //
    Session-ID-ctx: 
    Master-Key: //
    Key-Arg   : None
    Start Time: 1449693038
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

    App Transport Security (ATS) require Transport Layer Security (TLS) protocol version 1.2.

    Requirements for Connecting Using ATS:

    The requirements for a web service connection to use App Transport Security (ATS) involve the server, connection ciphers, and certificates, as follows:

    Certificates must be signed with one of the following types of keys:

    • Secure Hash Algorithm 2 (SHA-2) key with a digest length of at least 256 (that is, SHA-256 or greater)

    • Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

    • Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits An invalid certificate results in a hard failure and no connection.

    The following connection ciphers support forward secrecy (FS) and work with ATS:

    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

    Update: it turns out that openssl only provide the minimal protocol version Protocol : TLSv1 links

    0 讨论(0)
 看不清?
提交回复
热议问题