NSURL会话/NSURL连接HTTP加载失败(kCFStreamErrorDomainSSL，在iOS10中为-9802，2017

h43kikqp 于 2022-11-14 发布在 iOS

关注(0)|答案(3)|浏览(286)

这不是一个重复的问题，请继续阅读。我正在升级我的应用程序中的弃用代码，以符合iOS10。
错误：NSURLSession给我带来了麻烦，这个臭名昭著的错误，沿着9806和9801，这取决于我在.plist文件中放置的内容：

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

我的代码：在我的信息.plist文件中，我有：

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>https://my.own-server.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSExceptionAllowInsecureHTTPSLoads</key>
                <true/>
                <key>NSExceptionRequiresForwardSecrecy</key>
                <true/>
                <key>NSExceptionMinimumTLSVersion</key>
                <string>TLSv1.0</string>
                <key>NSThirdPartyExceptionAllowInsecureHTTPSLoads</key>
                <false/>
                <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
                <false/>
                <key>NSThirdPartyExceptionMinimumTLSVersion</key>
                <string>TLSv1.0</string>
                <key>NSRequiresCertificateTransparency</key>
                <false/>
            </dict>
        </dict>
        <key>NSAppTransportSecurity</key>
        <dict>
            <key>NSAllowsArbitraryLoads</key>
            <false/>
        </dict>
    </dict>

在我的ObjectiveC代码中，我有这样的代码：

NSURLSessionConfiguration *defaultConfiguration = [NSURLSessionConfiguration defaultSessionConfiguration];
NSURLSession *session __unused = [NSURLSession sessionWithConfiguration:defaultConfiguration delegate:[PortalRequest alloc] delegateQueue:[NSOperationQueue mainQueue]]; operationQueue:[NSOperationQueue mainQueue]];
    requestContainer.sessionDataTask = [session dataTaskWithRequest:request];
[self.sessionDataTask resume];

在进行URLSession调用的类的DELEGATE方法中，我可以看到didReceiveChallenge：

LOG: ** NSURLSession IOS10 ** - didReceiveChallenge called

......最后我得到错误：

[TIMESTAMP] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)

服务器在其他答案中提出的解决方案都不起作用，是因为苹果的2017年截止日期吗？https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/根据这个在线安全分析工具，https://www.ssllabs.com/ssltest/analyze.html后端确实支持TLS 1. 2
你知道在哪里可以找到一些iOS示例代码来100%确定我所指的端点是没有负罪感的吗？
更新这个代码为我工作，对它有什么意见？：

- (void)URLSession:(NSURLSession *)session
didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
 completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * __nullable credential))completionHandler{
    NSLog(@"*** KBRequest.NSURLSessionDelegate - didReceiveChallenge IOS10");

    if([challenge.protectionSpace.authenticationMethod
        isEqualToString:NSURLAuthenticationMethodServerTrust])
    {
        if([challenge.protectionSpace.host
            isEqualToString:@"engine.hello-indigo.com"])
        {
            NSURLCredential *credential =
            [NSURLCredential credentialForTrust:
             challenge.protectionSpace.serverTrust];
            completionHandler(NSURLSessionAuthChallengeUseCredential,credential);
        }
        else
            completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
    }
}

ssl

来源：https://stackoverflow.com/questions/41854908/nsurlsession-nsurlconnection-http-load-failed-kcfstreamerrordomainssl-9802-in

3条答案

按热度按时间

t1rydlwq1#

请尝试将NSExceptionRequiresForwardSecrecy设置为false。但是，您的服务器确实满足传输层安全性（TLS）协议版本的最低要求，但您的服务器连接密码可能不支持前向保密。
协商的传输层安全性（TLS）版本必须是TLS 1.2。默认情况下，不使用TLS/SSL保护或使用旧版本的TLS/SSL进行连接的尝试将被拒绝。
连接必须使用AES-128或AES-256对称密码。
协商的TLS连接密码套件必须通过椭圆曲线Diffie-Hellman Ephemeral（ECDHE）密钥交换支持完全前向保密（PFS），并且必须是以下之一：
使用AES_256_GCM_SHA384时的最低血糖检测标准和最低血糖检测标准安全性分析-使用不良事件评估系统256_CBC_SHA384 TLS_ECDHE_安全性分析-使用不良事件评估系统128_CBC_SHA256 TLS_ECDHE_安全性分析-使用不良事件评估系统128_CBC_SHA

赞(0）回复(0）举报 2022-11-14

tvmytwxo2#

我终于解决了这个问题！我从.plist文件中取出了异常，并将以下代码添加到didReceiveChallenge委托方法中：

- (void)URLSession:(NSURLSession *)session
didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
 completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * __nullable credential))completionHandler{
    NSLog(@"*** KBRequest.NSURLSessionDelegate - didReceiveChallenge IOS10");
    completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:[[challenge protectionSpace] serverTrust]]);
}

这篇文章非常有用：http://timekl.com/blog/2015/08/21/shipping-an-app-with-app-transport-security/

赞(0）回复(0）举报 2022-11-14

vohkndzv3#

为了避免完全破坏TLS（更不用说其他形式的身份验证），您应该做更多类似这样的事情：

- (void)URLSession:(NSURLSession *)session
    didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
      completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition,
                                  NSURLCredential *credential))completionHandler
    {
        NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
        if ([protectionSpace authenticationMethod] == NSURLAuthenticationMethodServerTrust) {
            // Load our trusted root certificate from the app bundle.
            SecTrustRef trust = [protectionSpace serverTrust];
            NSURL *certificatePath = [[NSBundle mainBundle] URLForResource:@"customRootCert" ofType:@"der"];
            NSData *certificateData = [NSData dataWithContentsOfURL:resourcePath];
            SecCertificateRef trustedCert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);

            // Change the trust object to trust our root cert.
            trust = addAnchorToTrust(trust, trustedCert);

            SecTrustResultType secresult = kSecTrustResultInvalid;
            if (SecTrustEvaluate(trust, &secresult) != errSecSuccess) {
                // Something went horribly wrong.
                completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
                return;
            }

            switch (secresult) {
                case kSecTrustResultUnspecified: // The OS trusts this certificate implicitly.
                case kSecTrustResultProceed: // The user explicitly told the OS to trust it.
                {
                    NSURLCredential *credential =
                        [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
                    completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, credential)
                    return;
                }
                default:
                    /* It's somebody else's key/cert. Fall through. */
            }
            completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
        } else {
            // If we aren't checking the server's public key, just use
            // the default behavior.
            completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
        }
    }

请注意，这段代码未经编译和测试，因此请随意修复错别字和其他错误。

赞(0）回复(0）举报 2022-11-14

我来回答

NSURL会话/NSURL连接HTTP加载失败(kCFStreamErrorDomainSSL，在iOS10中为-9802，2017

3条答案

相关问题

热门标签

最新问答