应用程序传输安全性 SSL 证书错误
Posted
技术标签:
【中文标题】应用程序传输安全性 SSL 证书错误【英文标题】:SSL certificate Error with App Transport Security 【发布时间】:2017-03-20 12:54:02 【问题描述】:我在 cordova 的支持下创建了 Hybrid Mobile 应用程序。
在这个项目中,我尝试访问 https 服务器,该服务器具有 SSL 证书以确保安全。
在模拟应用程序时,我在 Xcode7.2 上遇到两个错误。
CFNetwork SSLHandshake failed (-9824)
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
我尝试了 info.plist 中的以下键不起作用。
如何使用 cordova 从混合移动应用访问 https?
我运行nscurl --ats-diagnostics --verbose https://XXX.XXXX.XXX anf 得到以下结果,
Starting ATS Diagnostics
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://netbanking.utkarsh.bank.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
2017-03-20 19:27:19.190 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9824)
2017-03-20 19:27:19.191 nscurl[16582:163070] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fbdf341b6f0 Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo=_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://netbanking.utkarsh.bank/, NSErrorFailingURLStringKey=https://netbanking.utkarsh.bank/, _kCFStreamErrorDomainKey=3
---
================================================================================
Allowing Arbitrary Loads
---
Allow All Loads
ATS Dictionary:
NSAllowsArbitraryLoads = true;
Result : PASS
---
================================================================================
Configuring TLS exceptions for netbanking.utkarsh.bank
---
TLSv1.2
ATS Dictionary:
NSExceptionDomains =
"netbanking.utkarsh.bank" =
NSExceptionMinimumTLSVersion = "TLSv1.2";
;
;
2017-03-20 19:27:19.612 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9824)
2017-03-20 19:27:19.612 nscurl[16582:163070] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fbdf360c3c0 Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo=_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://netbanking.utkarsh.bank/, NSErrorFailingURLStringKey=https://netbanking.utkarsh.bank/, _kCFStreamErrorDomainKey=3
---
---
TLSv1.1
ATS Dictionary:
NSExceptionDomains =
"netbanking.utkarsh.bank" =
NSExceptionMinimumTLSVersion = "TLSv1.1";
;
;
2017-03-20 19:27:19.669 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9824)
2017-03-20 19:27:19.669 nscurl[16582:163070] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fbdf3727cf0 Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo=_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://netbanking.utkarsh.bank/, NSErrorFailingURLStringKey=https://netbanking.utkarsh.bank/, _kCFStreamErrorDomainKey=3
---
---
TLSv1.0
ATS Dictionary:
NSExceptionDomains =
"netbanking.utkarsh.bank" =
NSExceptionMinimumTLSVersion = "TLSv1.0";
;
;
2017-03-20 19:27:19.725 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9824)
2017-03-20 19:27:19.726 nscurl[16582:163070] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fbdf371abe0 Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo=_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://netbanking.utkarsh.bank/, NSErrorFailingURLStringKey=https://netbanking.utkarsh.bank/, _kCFStreamErrorDomainKey=3
---
================================================================================
Configuring PFS exceptions for netbanking.utkarsh.bank
---
Disabling Perfect Forward Secrecy
ATS Dictionary:
NSExceptionDomains =
"netbanking.utkarsh.bank" =
NSExceptionRequiresForwardSecrecy = false;
;
;
2017-03-20 19:27:19.784 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9801)
2017-03-20 19:27:19.785 nscurl[16582:163070] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=_kCFStreamErrorCodeKey=-9801, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fbdf354f3d0 Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo=_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9801, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9801, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://netbanking.utkarsh.bank/, NSErrorFailingURLStringKey=https://netbanking.utkarsh.bank/, _kCFStreamErrorDomainKey=3
---
================================================================================
Configuring PFS exceptions and allowing insecure HTTP for netbanking.utkarsh.bank
---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
NSExceptionDomains =
"netbanking.utkarsh.bank" =
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionRequiresForwardSecrecy = false;
;
;
2017-03-20 19:27:19.843 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9801)
2017-03-20 19:27:19.908 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9801)
2017-03-20 19:27:19.962 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9801)
2017-03-20 19:27:19.962 nscurl[16582:163070] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=_kCFStreamErrorCodeKey=-9801, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fbdf3488c30 Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo=_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9801, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9801, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://netbanking.utkarsh.bank/, NSErrorFailingURLStringKey=https://netbanking.utkarsh.bank/, _kCFStreamErrorDomainKey=3
---
================================================================================
Configuring TLS exceptions with PFS disabled for netbanking.utkarsh.bank
---
TLSv1.2 with PFS disabled
ATS Dictionary:
NSExceptionDomains =
"netbanking.utkarsh.bank" =
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
;
;
2017-03-20 19:27:20.020 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9801)
2017-03-20 19:27:20.021 nscurl[16582:163070] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=_kCFStreamErrorCodeKey=-9801, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fbdf3534c00 Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo=_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9801, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9801, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://netbanking.utkarsh.bank/, NSErrorFailingURLStringKey=https://netbanking.utkarsh.bank/, _kCFStreamErrorDomainKey=3
---
---
TLSv1.1 with PFS disabled
ATS Dictionary:
NSExceptionDomains =
"netbanking.utkarsh.bank" =
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
;
;
Result : PASS
---
---
TLSv1.0 with PFS disabled
ATS Dictionary:
NSExceptionDomains =
"netbanking.utkarsh.bank" =
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
;
;
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for netbanking.utkarsh.bank
---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
NSExceptionDomains =
"netbanking.utkarsh.bank" =
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
;
;
2017-03-20 19:27:20.358 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9801)
2017-03-20 19:27:20.416 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9801)
2017-03-20 19:27:20.471 nscurl[16582:163070] CFNetwork SSLHandshake failed (-9801)
2017-03-20 19:27:20.471 nscurl[16582:163070] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=_kCFStreamErrorCodeKey=-9801, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fbdf3530fd0 Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo=_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9801, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9801, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://netbanking.utkarsh.bank/, NSErrorFailingURLStringKey=https://netbanking.utkarsh.bank/, _kCFStreamErrorDomainKey=3
---
---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
NSExceptionDomains =
"netbanking.utkarsh.bank" =
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
;
;
Result : PASS
---
---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
NSExceptionDomains =
"netbanking.utkarsh.bank" =
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
;
;
Result : PASS
---
================================================================================
【问题讨论】:
您是否尝试过nscurl --ats-diagnostics --verbose https://www.google.com,但使用您的域而不是谷歌?另外,服务器支持哪些密码套件?
@Mats,感谢您的重播。我在终端中完成了评论,并发布了有问题的结果。
而不是尝试所有的键,@Mats 的建议会给你真正的原因。您可以根据诊断结果做一些事情。
【参考方案1】:
在 info.plist 中还添加了以下键,问题得到解决。
<key>NSTemporaryExceptionRequiresForwardSecrecy</key>
<false/>
【讨论】:
以上是关于应用程序传输安全性 SSL 证书错误的主要内容,如果未能解决你的问题,请参考以下文章