问题
I've got an iOS app which uses SSL/HTTPS to communicate with a server. The server is providing a certificate that works over TLSv1.2 (the main requirement of App Transport Security). An example URL that demonstrates this (where the TLSv1.2 can be verified by checking the certificate) is https://api.branon.co.uk/checkOnline.
However, the app is throwing errors relating to the App Transport Layer - errors that, when Googled - imply it's because the server isn't working over TLSv1.2. An example error is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
and:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
I even added a bunch of exceptions to the plist file, such as:
<dict>
<key>NSExceptionDomains</key>
<dict>
<key><my top level domain - the app uses a subdomain - allowed below></key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
</plist>
but this doesn't change the result.
The certificate used is a free certificate issued from StartCom. My nginx config is below (just for reference).
server {
listen [::]:443 ssl;
listen 443 ssl;
ssl on;
ssl_certificate /root/ssl/<domain>.crt;
ssl_certificate_key /root/ssl/server.key;
server_name api.<domain>;
access_log /var/log/nginx/api.access.log;
error_log /var/log/nginx/api.error.log;
location ~ ^/([a-zA-Z]+)$ {
proxy_pass http://127.0.0.1:5000/$1;
}
}
Does anybody have any idea why this is happening?
Thanks!
Update: Following the results of @Paulw11's suggested test (below) running nscurl, I decided just to try disabling App Transport Security entirely. I changed the App Transport Security dictionary in my plist to the below:
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
and am still getting the same error! So if it's not App Transport Security, what could be causing this? That error I'm getting again is:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
回答1:
The server does not provide a complete certificate chain in its SSL/TLS handshake. While some clients can handle this and build out a trust chain, others cannot.
You can find the missing intermediate certificate via https://whatsmychaincert.com/?api.branon.co.uk and serve it along with your site's certificate in your SSL configuration in nginx.
Do remember to remove any ATS exceptions that you may have put in place!
回答2:
The format of the keys I use to allow older versions of TLS (for amazonaws, for example) looks like this:
<key>NSIncludesSubdomains</key>
<string>NO</string>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<string>NO</string>
The rest of the structure looks the same. At one point, we had this at the root level.
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
来源:https://stackoverflow.com/questions/36187787/ios-app-transport-security-not-accepting-tlsv1-2-connection-and-plist-exceptions