ios - 由于 iOS 10 中的 nonce 计数错误，HTTP 摘要身份验证失败

自 iOS 10 起，HTTP 摘要身份验证在我们的应用程序中不再有效，原因是 Authorization: Digest header generated by NSURLSession 中的 nonce-count 错误。

相同的代码在 iOS 9 中有效，但在 iOS 10 中无法验证

1. 使用 NSURLRequest 创建 POST 请求
2. 使用 NSURLSession 触发它
3. 在urlSession(_:didReceive:completionHandler中处理NSURLAuthenticationMethodHTTPDigest委托(delegate)
4. 服务器按预期返回 401 和 qop="auth"字符串

5. 应用使用 Authorization: Digest header 再次请求。

   根据RFC2617 :

   nonce-count

   This MUST be specified if a qop directive is sent (see above), and MUST NOT be specified if the server did not send a qop directive in the WWW-Authenticate header field. The nc-value is the hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request. For example, in the first request sent in response to a given nonce value, the client sends "nc=00000001". The purpose of this directive is to allow the server to detect request replays by maintaining its own copy of this count - if the same nc-value is seen twice, then the request is a replay. See the description below of the construction of the request-digest value.

   但是，即使对于 iOS 10 中的第一个请求，nonce 计数也从“nc=00000002”开始，这会导致服务器拒绝它。

6. 期望服务器响应 200 OK

iOS 9 及之前版本:

POST /Tunnel/Message.aspx HTTP/1.1
Host: 172.18.70.12:3454
Accept: */*
Content-Type: application/xml
User-Agent: iViewer/1 CFNetwork/758.5.3 Darwin/15.6.0
Connection: keep-alive
Cookie: 
AuthType: digest
Accept-Language: zh-tw
Content-Length: 69
Accept-Encoding: gzip, deflate
Authorization: Digest username="admin", realm="ND8422P", 
nonce="cc17a78cdd96d54e012eadefe7d13d82", uri="/Tunnel/Message.aspx", 
response="51587db4bcf6eeece68c4ec21108f170", 
cnonce="47b8df8a980f280038834b7817250e90", nc=00000001, qop="auth"
<?xml version="1.0" encoding="UTF-8"?><GetServerInfo></GetServerInfo>

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/xml
Content-Length: 1127

iOS 10:

POST /Tunnel/Message.aspx HTTP/1.1
Host: 172.18.70.12:3454
Accept: */*
Content-Type: application/xml
User-Agent: iViewer/1 CFNetwork/808.0.2 Darwin/16.0.0
Connection: keep-alive
Cookie: 
AuthType: digest
Accept-Language: en-us
Content-Length: 69
Accept-Encoding: gzip, deflate
Authorization: Digest username="admin", realm="ND8422P", 
nonce="4b8bf8549da0c3010f031472e95f387d", uri="/Tunnel/Message.aspx", 
response="91cf44bc0aadf2f743164d03b5c708c7", 
cnonce="b5f9e6c69e19c1b396298d68f2aefe7e", nc=00000002, qop="auth"
<?xml version="1.0" encoding="UTF-8"?><GetServerInfo></GetServerInfo>

HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest qop="auth", realm="ND8422P", nonce="8e8b0538bb08876ac4d8203f1d14e9ac"
CSeq: 0

有人遇到同样的问题吗？

我能找到的唯一相关帖子是: Apple Developer Forums : Problem of the digest authentication ，但没有更多信息。

如何在不要求服务器端忽略错误的 nonce-count 的情况下在客户端应用程序端修复它或获得解决方法？

谢谢。

---

Best Answer-推荐答案

Apple 开发者技术支持确认这是 iOS 10 的错误。 希望尽快修复。

Thank you for contacting Apple Developer Technical Support (DTS). We believe this issue is a bug. Please file a bug report using the Bug Reporter tool https://developer.apple.com/bug-reporting/.

更新: Apple 在 iOS 10.2 Beta 3 中修复了这个问题

关于ios - 由于 iOS 10 中的 nonce 计数错误，HTTP 摘要身份验证失败，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/39587003/