问题描述
我正在使用 NSMutableURLRequest 租用自签名证书,并且当证书使用带有 SecTrustSetAnchorCertificates 的自定义证书锚定时,IOS 11 失败并显示以下错误消息:
I am leasing a self signed certificate using NSMutableURLRequest and when the certificate is anchored using a custom certificate with SecTrustSetAnchorCertificates IOS 11 fails with the following error message:
refreshPreferences: HangTracerEnabled: 1
refreshPreferences: HangTracerDuration: 500
refreshPreferences: ActivationLoggingEnabled: 0 ActivationLoggingTaskedOffByDA:0
ATS failed system trust
System Trust failed for [1:0x1c417dc40]
TIC SSL Trust Error [1:0x1c417dc40]: 3:0
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Task <721D712D-FDBD-4F52-8C9F-EEEA28104E73>.<1> HTTP load failed (error code: -1200 [3:-9802])
Task <721D712D-FDBD-4F52-8C9F-EEEA28104E73>.<1> finished with error - code: -1200
过去适用于 IOS 10 的内容不再适用于 IOS 11.
What used to work for IOS 10 no longer works in IOS 11.
我知道 IOS 11 不再支持以下内容:
I am aware that IOS 11 no longer supports the following:
- RC4 3DES-CBC AES-CBC
- MD5 SHA-1
- <2048 位 RSA Pub 密钥 - 与服务器的所有 TLS 连接
- http://
- SSLv3
- TLS 1.0
- TLS 1.1
除了一个指纹,即SHA-1,证书不使用这些,但也列出了一个SHA-256指纹.
And the certificate does not use these except for one fingerprint, which is SHA-1, but a SHA-256 fingerprint is also listed.
通过添加以下内容,我们可以绕过 ATS(应用传输安全)错误:
And by adding the following we can bypass the ATS (App Transport Security) error:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>mydomain.com</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
通过将根/锚证书安装到手机本身,也无需将 mydomain.com 列入白名单.
By installing the root / anchor certificate onto the phone itself also works without the need to whitelist the mydomain.com.
这是否意味着 ATS 不再支持自签名证书?
Does this mean that ATS no longer supports self-signed certificates?
以下在 IOS 10 中有效:
SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)certs);
在 Mac 上使用 nscurl 显示许多失败,并且在将根证书安装到系统"后密钥库,nscurl 成功.我在 macOS 10.12.6 上做了这个.
Using nscurl on a Mac shows many failures, and after installing the root certificate into the "System" Keystore, nscurl succeeds.I did this on macOS 10.12.6.
nscurl --verbose --ats-diagnostics https://
如何使用自定义证书进行此操作,而无需安装证书或将域列入白名单?
How can I make this work with a custom certificate, but without the need to install certificates or whitelist the domain?
推荐答案
前一段时间 macOS 开始强制要求 CA 证书不能也用作终端实体(例如网络服务器)证书.iOS 有没有可能在 10 到 11 之间添加了这个要求?
Some time ago macOS started enforcing a requirement that CA certificates can't also be used as end-entity (eg webserver) certificates. Is it possible that iOS added this requirement between 10 and 11?
如果是这样,解决方法很简单:您创建自签名 CA 证书,并使用该证书颁发网络服务器证书.CA 证书 (basicConstraints: CA=True) 是信任库中的信任锚;最终实体证书(省略 basicConstraints;extendedKeyUsage=serverAuth)由 Web 服务器提供.您不能再为两者使用完全相同的证书.
If so, the workaround is simple: you create your self-signed CA certificate, and use that certificate to issue the webserver certificate. The CA certificate (basicConstraints: CA=True) is the trust anchor that goes in your trust store; the end-entity certificate (omit basicConstraints; extendedKeyUsage=serverAuth) is presented by the web server. You're just not allowed to use the exact same certificate for both any more.
(这应该是一个评论,但我还没有足够的点数来评论.)
(This should be a comment but I don't have enough points to comment yet.)
这篇关于iOS 11:ATS(应用传输安全)不再接受自定义锚证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!