Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
651 views
in Technique[技术] by (71.8m points)

ssl - Handling App Transport Security (kCFStreamErrorDomainSSL, -9802)

You run this code:

let URL = "https://www.nasa.gov/sites/default/files/wave_earth_mosaic_3.jpg"
let imageData = NSData(contentsOfURL: NSURL(string: URL)!)
UIImage(data: imageData!)

and you get this:

2015-09-11 16:33:47.433 Cassini[21200:447896] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

Digging a bit deeper shows SHA1 signature is used.

maximveksler$ openssl s_client -connect www.nasa.gov:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"
    Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

So as of Sep 11, 2015 NASA are using insecure connection, now what?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Why did it happen?

Because using insecure web is bad for your users privacy.

Beginning with iOS9 Apple are enforcing secure connections your app makes to any resource accessed via HTTP. This means that the server you are connecting to needs to follow up to date secure connection best practices.

As of Sep, 2015 these include:

More info can be found at App Transport Security Technote

What can you do?

Manage your own servers? Fix it! make sure they are strong and secure. You can verify that your server is good by testing it online with shaaaaaaaaaaaaa.com or locally with any of the methods outline here

If you are connecting to other servers, there are options to "white list" problematic resources, this is discouraged.

Decrease security of a specific URL

Go to your Info.plist and add the following entries:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.nasa.gov</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

Your plist should look like this: enter image description here

Globally turn off App Transport Security

Note, this is a really really bad idea.

Go to your Info.plist and add the following entries:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Your plist should look like this: enter image description here


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...