kCFStreamErrorDomainSSL -9802错误,但它是HTTPS
因此,我了解ATS的内容,以及如何编辑允许HTTP的info.plist。但是,URL是https://api.map.baidu.com/api?v=2。0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1,这是一个HTTPS请求,但我仍然得到
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)然后在setenv("CFNETWORK_DIAGNOSTICS", "3", 1);中添加didFinishLaunchingWithOptions以启用详细日志。
在日志中,我发现错误日志:
5510 Jan 14 10:52:01 MCompass[8549] <Notice>: CFNetwork Diagnostics [3:363] 10:52:01.458 {
5511 Response Error
5512 Request: <CFURLRequest 0x7fecf3cddcb0 [0x10aff37b0]> {url = https://api.map.baidu.com/api?v=2.0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1, cs = 0x0}
5513 Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fecf406bbf0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7fecf406cda0 [0x10aff37b0]>{type = immutable, count = 3, values = (
5514 0 : <cert(0x7fecf3fa80e0) s: baidu.com i: VeriSign Class 3 International Server CA - G3>
5515 1 : <cert(0x7fecf3fa8920) s: VeriSign Class 3 International Server CA - G3 i: VeriSign Class 3 Public Primary Certification Authority - G5>
5516 2 : <cert(0x7fecf4069fd0) s: VeriSign Class 3 Public Primary Certification Authority - G5 i: Class 3 Public Primary Certification Authority>
5517 )}}
5518 } [3:363]
5519 Jan 14 10:52:01 MCompass[8549] <Notice>: CFNetwork Diagnostics [3:364] 10:52:01.459 {
5520 Did Fail
5521 Loader: <CFMutableURLRequest 0x7fecf3cdd9f0 [0x10aff37b0]> {url = https://api.map.baidu.com/api?v=2.0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1, cs = 0x0}
5522 Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fecf406bbf0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7fecf406cda0 [0x10aff37b0]>{type = immutable, count = 3, values = (
5523 0 : <cert(0x7fecf3fa80e0) s: baidu.com i: VeriSign Class 3 International Server CA - G3>
5524 1 : <cert(0x7fecf3fa8920) s: VeriSign Class 3 International Server CA - G3 i: VeriSign Class 3 Public Primary Certification Authority - G5>
5525 2 : <cert(0x7fecf4069fd0) s: VeriSign Class 3 Public Primary Certification Authority - G5 i: Class 3 Public Primary Certification Authority>
5526 )}}
5527 init to origin load: 0.00280595s
5528 total time: 0.447458s
5529 total bytes: 0
5530 } [3:364]我很困惑,因为它是HTTPS请求,但仍然有问题。我在Chrome上尝试了网址,它返回一个有效的证书(我有证书知识,如X509)。但不知道为什么会被封锁。
有人能帮忙吗?提前谢谢。将此域添加到ATS异常中会有帮助,但我不想添加它,因为它已经是HTTPS了!
更新:
正在运行
/usr/bin/nscurl --ats-diagnostics -v "https://api.map.baidu.com/api?v=2.0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1"将返回所有通行证:
Xuans-MacBook-Pro:~ xuan$ /usr/bin/nscurl --ats-diagnostics -v "https://api.map.baidu.com/api?v=2.0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1"
Starting ATS Diagnostics
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://api.map.baidu.com/api?v=2.0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : PASS
---
================================================================================
Allowing Arbitrary Loads
---
Allow All Loads
ATS Dictionary:
{
NSAllowsArbitraryLoads = true;
}
Result : PASS
---
================================================================================
Configuring TLS exceptions for api.map.baidu.com
---
TLSv1.2
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
};
};
}
Result : PASS
---
---
TLSv1.1
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
};
};
}
Result : PASS
---
---
TLSv1.0
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
};
};
}
Result : PASS
---
================================================================================
Configuring PFS exceptions for api.map.baidu.com
---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring PFS exceptions and allowing insecure HTTP for api.map.baidu.com
---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled for api.map.baidu.com
---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for api.map.baidu.com
---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================回答 2
Stack Overflow用户
发布于 2016-05-18 04:04:36
Stack Overflow用户
发布于 2017-06-13 13:41:39
我不知道这是否能解决你的问题,但我最近也遇到了类似的问题。在我的例子中,我还有一个服务器通过nscurl --ats-diagnostics,每个服务器都有一个PASS,但是在应用程序中出现ATS-9802错误时失败了。服务器使用TLS版本1.2,具有前向保密,使用良好的密码套件,并具有SHA256证书。
SSL实验室页面有指向答案的提示--它说一切都很好,但SSL链不完整。服务器配置稍有错误,因为它提供了正确的证书,但没有连接到根证书(应该已经在客户端上)所需的中间证书。有指向可以下载中间证书的指针,所以SSL实验室页面就这样做了,结果只将等级降到了"B“级。但是,这意味着客户端实现还需要能够自己下载中间证书--并不是所有的实现都能下载。
在我的例子中,因为这是在一个测试/开发环境中,在这个环境中,其他服务器偶尔出现错误配置,所以我们将AFSecurityPolicy属性validatesDomainName设置为NO,因为这解决了其他问题(当然,在生产中是肯定的)。但是,这也成为了这个服务器的设置,这不是绝对必要的。这反过来意味着AFSecurityPolicy在配置SecTrustRef时使用SecPolicyCreateBasicX509()而不是SecPolicyCreateSSL()。这在很大程度上是可以的,除了SecTrustGetNetworkFetchAllowed()的头文档声明:
默认情况下,如果信任评估包括SSL策略,则启用丢失证书的网络获取,否则将禁用该策略。
这就是问题所在。nscurl将使用SSL策略,因此它将下载中间证书并正常工作。但是,如果关闭该标志,ATS将在运行时失败,因为SecTrustEvaluate()将返回kSecTrustResultRecoverableTrustFailure,如果不进行进一步的干预,这将被视为失败。如果我将validatesDomainName设置为YES,那么它就开始工作(在这个服务器上)。或者,如果在将策略添加到SecTrustRef之后有一个句柄,则可以调用
SecTrustSetNetworkFetchAllowed(trustRef, true);因为这还允许获取中间证书,即使使用X509策略也是如此。或者,您可以修复服务器配置,以提供直至但不包括根证书的整个证书链,就像它应该做的那样。
编辑: SecTrustSetNetworkFetchAllowed调用只在iOS10上工作。对于iOS9,我必须用SSL策略调用SecTrustSetPolicies(),即重置策略列表--这是iOS9上ATS获取缺少的证书的唯一方法。
https://stackoverflow.com/questions/34781036
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号