间歇性HTTP负载失败kCFStreamErrorDomainSSL (-9802)

Question

当试图从twitter加载图像文件时，出现了一个间歇性的错误，其URL如下：https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg。

以ios8为目标，在两个ios9设备和模拟器上失败，通常至少有20%的时间是间歇性的。

我有一个测试应用程序与一个Reload按钮，允许重试。如果第一次工作正常，那么以后的每个重新加载似乎都能工作(也许是缓存？)。如果第一次失败，它最终会在重试几次(比如5-10)后成功加载。

当然，twitter有适当的SSL设置。到底怎么回事？

我不想完全禁用ALS，甚至只是在这个领域，理想情况下。

import UIKit

class ViewController: UIViewController {

    @IBOutlet weak var myImageView: UIImageView!

    @IBAction func didPressReload(sender: AnyObject) {

        loadImage()
    }

    func loadImage() {
        myImageView.imageFromUrl("https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg")
    }
}

extension UIImageView {
    public func imageFromUrl(urlString: String) {
        if let url = NSURL(string: urlString) {
            let request = NSURLRequest(URL: url)
            NSURLConnection.sendAsynchronousRequest(request, queue: NSOperationQueue.mainQueue()) {

                (response: NSURLResponse?, data: NSData?, error: NSError?) in

                if (error != nil) {
                    NSLog("Failed to load URL \(response?.URL?.absoluteString): \(error)")

                }

                if let imageData = data as NSData? {
                    self.image = UIImage(data: imageData)
                }
            }
        }
    }
}

错误详细信息失败时：

2016-06-18 18:17:19.975 TestSSL[1027:420188] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
2016-06-18 18:17:20.011 TestSSL[1027:420137] Failed to load URL nil: Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x14597da0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x146977b0>, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerCertificates=<CFArray 0x14595f90 [0x3b0ca840]>{type = immutable, count = 4, values = (
    0 : <cert(0x14696590) s: *.twimg.com i: DigiCert High Assurance CA-3>
    1 : <cert(0x14696a90) s: DigiCert High Assurance CA-3 i: DigiCert High Assurance EV Root CA>
    2 : <cert(0x14696eb0) s: DigiCert High Assurance EV Root CA i: Baltimore CyberTrust Root>
    3 : <cert(0x146971e0) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>
)}, NSErrorFailingURLStringKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg, NSErrorFailingURLKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg}}, _kCFStreamErrorCodeKey=-9802, NSErrorFailingURLStringKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg, NSErrorPeerCertificateChainKey=<CFArray 0x14595f90 [0x3b0ca840]>{type = immutable, count = 4, values = (
    0 : <cert(0x14696590) s: *.twimg.com i: DigiCert High Assurance CA-3>
    1 : <cert(0x14696a90) s: DigiCert High Assurance CA-3 i: DigiCert High Assurance EV Root CA>
    2 : <cert(0x14696eb0) s: DigiCert High Assurance EV Root CA i: Baltimore CyberTrust Root>
    3 : <cert(0x146971e0) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>
)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x146977b0>, NSErrorFailingURLKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg})

Answer 1

我的错误是假设“twitter确实有适当的SSL设置”。通过在Chrome中反复重新加载，我发现有时只提供SHA-1证书。

也许twitter试图支持遗留客户端的事实与此有关：

我们通过在Twitter端点上实现SHA-256证书来完成我们的工作，如果我们检测到没有SHA-256支持的老客户端，则使用证书切换只提供SHA-1证书。

来自https://blog.twitter.com/2015/sunsetting-sha-1

似乎twitter有时会感到困惑。因此，我唯一的选择似乎是允许我的应用程序出现ALS异常。

我希望我自己回答的问题对别人有用。