ios - kCFStreamErrorDomainSSL -9802 错误,但它是 HTTPS URL
<p><p>所以我知道 ATS 的东西以及如何编辑 info.plist 以允许 HTTP。但是,URL 是 <a href="https://api.map.baidu.com/api?v=2" rel="noreferrer noopener nofollow">https://api.map.baidu.com/api?v=2</a> . 0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1,这是一个HTTPS请求,但我还是得到了</p>
<pre><code>NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
</code></pre>
<p>然后我在 <code>didFinishLaunchingWithOptions</code> 中添加 <code>setenv("CFNETWORK_DIAGNOSTICS", "3", 1);</code> 以启用详细日志。</p>
<p>在日志中,我找到了错误日志:</p>
<pre><code>5510 Jan 14 10:52:01MCompass <Notice>: CFNetwork Diagnostics 10:52:01.458 {
5511 Response Error
5512 Request: <CFURLRequest 0x7fecf3cddcb0 > {url = https://api.map.baidu.com/api?v=2.0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1, cs = 0x0}
5513 Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fecf406bbf0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7fecf406cda0 >{type = immutable, count = 3, values = (
5514 0 : <cert(0x7fecf3fa80e0) s: baidu.com i: VeriSign Class 3 International Server CA - G3>
5515 1 : <cert(0x7fecf3fa8920) s: VeriSign Class 3 International Server CA - G3 i: VeriSign Class 3 Public Primary Certification Authority - G5>
5516 2 : <cert(0x7fecf4069fd0) s: VeriSign Class 3 Public Primary Certification Authority - G5 i: Class 3 Public Primary Certification Authority>
5517 )}}
5518 }
5519 Jan 14 10:52:01MCompass <Notice>: CFNetwork Diagnostics 10:52:01.459 {
5520 Did Fail
5521 Loader: <CFMutableURLRequest 0x7fecf3cdd9f0 > {url = https://api.map.baidu.com/api?v=2.0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1, cs = 0x0}
5522 Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fecf406bbf0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=<CFArray 0x7fecf406cda0 >{type = immutable, count = 3, values = (
5523 0 : <cert(0x7fecf3fa80e0) s: baidu.com i: VeriSign Class 3 International Server CA - G3>
5524 1 : <cert(0x7fecf3fa8920) s: VeriSign Class 3 International Server CA - G3 i: VeriSign Class 3 Public Primary Certification Authority - G5>
5525 2 : <cert(0x7fecf4069fd0) s: VeriSign Class 3 Public Primary Certification Authority - G5 i: Class 3 Public Primary Certification Authority>
5526 )}}
5527 init to origin load: 0.00280595s
5528 total time: 0.447458s
5529 total bytes: 0
5530 }
</code></pre>
<p>我很困惑,因为它是 HTTPS 请求,但仍然有问题。我在 Chrome 上尝试了 URL,它返回了一个有效的证书(我有像 X509 这样的证书知识)。但是不知道为什么会被屏蔽。</p>
<p>有人可以帮忙吗?预先感谢。将此域添加到 ATS 异常(exception)中会有所帮助,但我不想添加它,因为它已经是 HTTPS!</p>
<p><strong>更新:</strong></p>
<p>运行</p>
<pre><code>/usr/bin/nscurl --ats-diagnostics -v "https://api.map.baidu.com/api?v=2.0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1"
</code></pre>
<p>将返回 ALL PASS:</p>
<pre><code>Xuans-MacBook-Pro:~ xuan$ /usr/bin/nscurl --ats-diagnostics -v "https://api.map.baidu.com/api?v=2.0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1"
Starting ATS Diagnostics
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://api.map.baidu.com/api?v=2.0&ak=1XjLLEhZhQNUzd93EjU5nOGQ&s=1.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : PASS
---
================================================================================
Allowing Arbitrary Loads
---
Allow All Loads
ATS Dictionary:
{
NSAllowsArbitraryLoads = true;
}
Result : PASS
---
================================================================================
Configuring TLS exceptions for api.map.baidu.com
---
TLSv1.2
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
};
};
}
Result : PASS
---
---
TLSv1.1
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
};
};
}
Result : PASS
---
---
TLSv1.0
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
};
};
}
Result : PASS
---
================================================================================
Configuring PFS exceptions for api.map.baidu.com
---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring PFS exceptions and allowing insecure HTTP for api.map.baidu.com
---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled for api.map.baidu.com
---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for api.map.baidu.com
---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"api.map.baidu.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
</code></pre></p>
<br><hr><h1><strong>Best Answer-推荐答案</ strong></h1><br>
<p><p>如 <a href="https://stackoverflow.com/questions/33225807/nsurlsession-nsurlconnection-http-load-failed-kcfstreamerrordomainssl-9802-o" title="this answer" rel="noreferrer noopener nofollow">this answer</a> 中所述,通过 HTTPS 访问您的 API url 并不意味着它会遵守 Apple 的 ATS。我也使用 <code>nscurl</code>,但我认为该工具还不够成熟,有时可能效率很低。</p>
<p> <a href="https://www.ssllabs.com/ssltest/index.html" rel="noreferrer noopener nofollow" title="SSL Labs">SSL Labs</a>测试要好得多,<strong>详细</strong>,恕我直言。它将帮助您追踪 SSL 配置中缺少的内容。</p>
<p>请注意,ATS <a href="https://developer.apple.com/library/mac/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html" rel="noreferrer noopener nofollow">requires</a>至少 TLS 1.2 和完美前向保密密码套件。</p></p>
<p style="font-size: 20px;">关于ios - kCFStreamErrorDomainSSL -9802 错误,但它是 HTTPS URL,我们在Stack Overflow上找到一个类似的问题:
<a href="https://stackoverflow.com/questions/34781036/" rel="noreferrer noopener nofollow" style="color: red;">
https://stackoverflow.com/questions/34781036/
</a>
</p>
页:
[1]