问题
From the beginning, how I configure NSURLSession:
auto securityPolicy = self.securityPolicy;
NSURLSessionConfiguration *config = [NSURLSessionConfiguration ephemeralSessionConfiguration];
config.TLSMinimumSupportedProtocol = [CSHTTPSessionWrapper minimumTLSprotocolForSecurityPolicy: securityPolicy]; // this properly sets values kTLSProtocol1, kTLSProtocol11, kTLSProtocol12
self.session = [NSURLSession sessionWithConfiguration: config
delegate: self
delegateQueue: nil];
Nothing fancy.
Now I wrote some automated test which set security policy to TLS 1.0, 1.1, 1.2 and tries connect to openssl servers.
I wrote python script which starts this servers:
def run_ssl_server(name, openSSLBinary, port, params):
print "Starting {0} server on port {1}".format(name, port)
proc = subprocess.Popen([openSSLBinary, "s_server", "-cert", "testres/server.cert.pem", "-key", "testres/server.key.pem", "-debug", "-www", "-accept"] + [port] + params)
atexit.register(proc.terminate)
print "Server started. Pid={0}".format(proc.pid)
def main() :
… … …
openSSLBinary = arguments.openSSLBinary # use custom build of openssl
server_modes = {
'normal': ('4433', []),
'ssl3_only': ('4435', ['-ssl3'])
}
openSSLVersion = open_ssl_tool_version(openSSLBinary)
if openSSLVersion >= LooseVersion("1.0.0") :
print "Adding servers which can be configured for openssl 1.0.0"
server_modes.update({
'no_tls2' : ('4434', ['-no_tls1_2']),
'tls1' : ('4436', ['-tls1']),
'tls1_1' : ('4437', ['-tls1_1']),
'tls1_2' : ('4438', ['-tls1_2']),
})
… … …
Since preinstalled openssl is quite old OpenSSL 0.9.8zh 14 Jan 2016 I've build new version and feed it to my python script.
Now test are checking all combinations of client minimum TLS version and server TLS version. On Mac OS all tests are passing!
What is strange exactly same tests run on iOS emulator are failing when client have higher minimum TLS version than server supports. NSURLSSession returns success, no errors are reported (and they should)!
Exactly same test I did for sockets (NSInputStream and NSOutputStream) and run on Mac and iOS emulator and they are passing, so problem is not a port forwarding on emulator.
It looks like that NSURLSessionConfiguration TLSMinimumSupportedProtocol doesn't work on iOS!
Does anyone has any advices, clues? Or should I raise a bug report to Apple (I hate bug tracker Apple uses)?
回答1:
Ok issue is not reproducible on iOS 10, so apparently Apple already fix this bug (I've rerun test with Xcode 8.2.1).
Initially I did testing with iOS 9 (Xcode 7.2).
来源:https://stackoverflow.com/questions/42834164/nsurlsessionconfiguration-tlsminimumsupportedprotocol-looks-like-doesnt-work-on