I am trying to post to a server that supports TLS 1.2 -- at least when I perform a GET in a browser I can verify that the communication uses TLS 1.2 and that the cert is validated by a cert authority. However, when I try to POST in my code to that server using AFNetworking iOS 9.0 (13A4305g) / Xcode 7-beta4 I'm getting a handshake failure.
AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager];
manager.requestSerializer = [AFHTTPRequestSerializer serializerWithContentType:@"application/x-www-form-urlencoded"];
manager.responseSerializer = [AFJSONResponseSerializer serializer];
[manager POST:requestString parameters:@{ @"apiKey" : MY_API_KEY,
@"payload" : [MyParams paramsForPOSTAsJSON] }
success:^(AFHTTPRequestOperation *operation, NSDictionary *responseDict) {
...
} failure:^(AFHTTPRequestOperation *operation, NSError *error) {
myLog(@"Communication failed: %@", error);
}];
The failure:
2015-08-06 15:01:08.398 MyApp[1795:394055] CFNetwork SSLHandshake failed (-9824)
2015-08-06 15:01:08.409 MyApp[1795:394055] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2015-08-06 15:01:08.412 MyApp[1795:393999] MyClass sendDataToServer Communication failed: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." ...
Am I missing something? How can I dig deeper? Suppose it is a problem with the server and not the code - how could I snoop that?
Steffen led me to the answer, and it was indeed that I needed the appropriate ciphers. An easy way to look at the supported ciphers on a port is the cipherscan tool. The ciphers supported for App Transport Security can be found here. Once I was able to test on a fully configured website, I did not need any kind of whitelisting. For TLS sites without the ciphers, I can set NSThirdPartyExceptionRequiresForwardSecrecy to false.
UPDATE
If you take beta 3 or above of OS X El Capitan, you can use the following command:
nscurl --verbose --ats-diagnostics <host>
This will tell you what entries you would need to add to your whitelist in order to make the connection succeed. This is a great help in demystifying SSL failures of type CFNetwork SSLHandshake failed (-9801).
来源:https://stackoverflow.com/questions/31866775/host-supports-tls-1-2-afnetworking-handshake-failing