App Transport Security阻止HTTPS
[英]App Transport Security blocks HTTPS
问题描述
I've a problem with ATS. 
我对ATS有疑问。 I'm using XCode 9.1, my Development Target is 11.0. 我正在使用XCode 9.1,我的开发目标是11.0。 I'm developing using react-native 0.49 我正在使用react-native 0.49进行开发
My program is doing a fetch to a https ( https://www.xxxx.com ) resource which has a valid (google chrome) letsencrypt certificate. 我的程序正在获取https ( https://www.xxxx.com )资源,该资源具有有效的(谷歌浏览器)letsencrypt证书。 The fetch only works, when NSAllowsArbitraryLoads is set to true, when set to false the fetch is blocked (debug out)? 只有当NSAllowsArbitraryLoads设置为true时,fetch才有效,当设置为false时,fetch被阻塞(调试输出)?
I'm doing some tests using a temporary domain ( https://xxxx.no-ip.org ). 我正在使用临时域( https://xxxx.no-ip.org )进行一些测试。 This domain also has a valid letsencrypt certificate. 此域还具有有效的letsencrypt证书。 In this case everything works fine. 在这种情况下一切正常。
The only difference I can see between both hosts is that the test domain is a single domain host, the production host is a multi domain host. 我在两台主机之间看到的唯一区别是测试域是单域主机,生产主机是多域主机。 Anybody a suggestion? 有人建议吗?
Regards, 问候,
Harry 掠夺
The debug out: CFNetwork Diagnostics [1:1187] 12:38:08.258 { Did Fail: (null) Loader: {url = https://.... Error: Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802} 调试: CFNetwork Diagnostics [1:1187] 12:38:08.258 {失败:(null)Loader:{url = https:// ....错误:错误域= kCFErrorDomainCFNetwork代码= -1200“(null) “UserInfo = {_ kCFStreamPropertySSLClientCertificateState = 0,_kCFNetworkCFStreamSSLErrorOriginalValue = -9802,_kCFStreamErrorDomainKey = 3,_kCFStreamErrorCodeKey = -9802}
This is my info.plist section 这是我的info.plist部分
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>xxxx.no-ip.org</key>
<dict/>
<key>localhost</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>xxxx.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
</dict> </dict> </dict>
2 个解决方案
解决方案1
2 已采纳 2017-11-07 01:04:46
Using the NSExceptionAllowsInsecureHTTPLoads shouldn't do anything if you are trying to connect via HTTPS. 如果您尝试通过HTTPS连接,则使用NSExceptionAllowsInsecureHTTPLoads不应执行任何操作。 Is it possible that your URL ( https://www.xxxx.com ) is redirecting traffic to http://www.xxxx.com ? 您的网址( https://www.xxxx.com )是否可能将流量重定向到http://www.xxxx.com ?
There are other exceptions that will affect HTTPS traffic that will allow HTTPS connections that don't satisfy all the requirements for HTTPS (eg Forward Secrecy, TLS version, key strength). 还有其他一些例外情况会影响HTTPS流量,这些异常将允许不满足HTTPS所有要求的HTTPS连接(例如Forward Secrecy,TLS版本,密钥强度)。 What you need to do is to figure out exactly why it is failing. 你需要做的是弄清楚它失败的确切原因。
To test the URL for ATS compliance, use the nscurl --ats-diagnostics <url> command on your Mac. 要测试ATS合规性的URL,请在Mac上使用nscurl --ats-diagnostics <url>命令。 You can find out more about ATS in general, as well is how to use / interpret the results of the nscurl command above in this post . 您可以了解更多有关ATS一般,也就是如何在使用/解释nscurl命令的结果上面这个帖子 。
Additionally, you could bump up the logging to get more details as to why it is failing by changing your CFNETWORK_DIAGNOSTICS level up. 此外,您可以通过更改CFNETWORK_DIAGNOSTICS级别来提高日志记录以获取有关其失败原因的更多详细信息。 You can find out more about that here . 你可以在这里找到更多相关信息。
解决方案2
1 2017-11-04 15:18:44
Sometimes this happens because your certificate doesn't fit all the requirements of TLS version that Apple requires. 有时会发生这种情况,因为您的证书不符合Apple要求的TLS版本的所有要求。
Try adding this to the domain https://www.xxxx.com 尝试将此添加到域https://www.xxxx.com
<key>NSExceptionRequiresForwardSecrecy</key>
<true/>
And don't forget to include subdomains: 并且不要忘记包含子域名:
<key>NSIncludesSubdomains</key>
<true/>
If that doesn't help then you can try to find what is the minimum TLS version you want to support too: 如果这没有帮助,那么您可以尝试找到您想要支持的最小TLS版本:
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
If all the past ones don't work, try adding this: 如果所有过去的都不起作用,请尝试添加以下内容:
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.