问题
I've a problem with ATS. I'm using XCode 9.1, my Development Target is 11.0. I'm developing using react-native 0.49
My program is doing a fetch to a https (https://www.xxxx.com) resource which has a valid (google chrome) letsencrypt certificate. The fetch only works, when NSAllowsArbitraryLoads is set to true, when set to false the fetch is blocked (debug out)?
I'm doing some tests using a temporary domain (https://xxxx.no-ip.org). This domain also has a valid letsencrypt certificate. In this case everything works fine.
The only difference I can see between both hosts is that the test domain is a single domain host, the production host is a multi domain host. Anybody a suggestion?
Regards,
Harry
The debug out: CFNetwork Diagnostics [1:1187] 12:38:08.258 { Did Fail: (null) Loader: {url = https://.... Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802}
This is my info.plist section
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>xxxx.no-ip.org</key>
<dict/>
<key>localhost</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>xxxx.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
</dict> </dict> </dict>
回答1:
Using the NSExceptionAllowsInsecureHTTPLoads shouldn't do anything if you are trying to connect via HTTPS. Is it possible that your URL (https://www.xxxx.com) is redirecting traffic to http://www.xxxx.com?
There are other exceptions that will affect HTTPS traffic that will allow HTTPS connections that don't satisfy all the requirements for HTTPS (e.g. Forward Secrecy, TLS version, key strength). What you need to do is to figure out exactly why it is failing.
To test the URL for ATS compliance, use the nscurl --ats-diagnostics <url> command on your Mac. You can find out more about ATS in general, as well is how to use / interpret the results of the nscurl command above in this post.
Additionally, you could bump up the logging to get more details as to why it is failing by changing your CFNETWORK_DIAGNOSTICS level up. You can find out more about that here.
回答2:
Sometimes this happens because your certificate doesn't fit all the requirements of TLS version that Apple requires.
Try adding this to the domain https://www.xxxx.com
<key>NSExceptionRequiresForwardSecrecy</key>
<true/>
And don't forget to include subdomains:
<key>NSIncludesSubdomains</key>
<true/>
If that doesn't help then you can try to find what is the minimum TLS version you want to support too:
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
If all the past ones don't work, try adding this:
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
来源:https://stackoverflow.com/questions/47110781/app-transport-security-blocks-https