通过自定义CA证书进行证书交换时,通过SSL进行的iOS 12 App REST调用失败
[英]iOS 12 App REST call over SSL fails on Cert exchange with custom CA cert
问题描述
I am working on the server side of a system here, but I have an iOS question. 
我在这里在系统的服务器端工作,但是我有一个iOS问题。 There is a team (Different time zone, so not online now) who are calling a REST API I provide, using an iOS app. 有一个团队(时区不同,所以现在不在网上)正在使用iOS应用程序调用我提供的REST API。 iOS 12, I am pretty sure. iOS 12,我很确定。 They mailed me earlier to say that it's "Hanging" and send me the following log. 他们较早发送邮件给我,说它是“挂起”,并向我发送以下日志。 I know iOS doesn't like self-signed certs, so I made a custom CA, and signed a cert for my server. 我知道iOS不喜欢自签名证书,因此我创建了一个自定义CA,并为我的服务器签名了证书。 I sent them the Custom CAs, (Issuing and Root) and they appear to have installed them correctly as profiles on iOS. 我向他们发送了自定义CA(发行和根证书),它们似乎已正确安装为iOS上的配置文件。 Does the trace below make any sense to anyone? 下面的踪迹对任何人都有意义吗? I know this a bit hand-wavy, but we are up against the wire on a regulatory project, and I'd really appreciate any insight that I could offer to my App Development friends. 我知道这有点麻烦,但是我们在监管项目中处于困境,我非常感谢我能为我的App开发朋友提供的任何见解。
Error Domain=org.openid.appauth.general Code=-5 "(null)" UserInfo={NSUnderlyingError=0x280d86bb0 {Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x2831eb180>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<cert(0x13e094e00) s: rhaxwayvd1.mid.xxx i: XXX plc Issuing CA 1>",
"<cert(0x13e095800) s: XXX plc Issuing CA 1 i: XXX plc Root CA>",
"<cert(0x13e096200) s: XXX plc Root CA i: XXX plc Root CA>"
), NSUnderlyingError=0x280d85b30 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x2831eb180>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x13e094e00) s: rhaxwayvd1.mid.xxx i: XXX plc Issuing CA 1>",
"<cert(0x13e095800) s: XXX plc Issuing CA 1 i: AIB plc Root CA>",
"<cert(0x13e096200) s: XXX plc Root CA i: AIB plc Root CA>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://rhaxwayvd1.mid.xxx:8445/XXXApp/TokenExchange, NSErrorFailingURLStringKey=https://rhaxwayvd1.mid.xxx:8445/XXXApp/TokenExchange, NSErrorClientCertificateStateKey=0}}}
1 个解决方案
解决方案1
0 已采纳 2019-08-09 17:44:11
OK, lack of knowledge on my part, but I'll post the answer, in case it helps someone in future. 好的,我本人缺乏知识,但是我会发布答案,以防将来对某人有所帮助。 Although I mailed the Custom CA Cert to the iOS tester, and he installed it as a profile, that's not enough. 尽管我已将Custom CA Cert邮寄给iOS测试人员,并且他将其安装为配置文件,但这还不够。 It is necessary to specify that you trust this CA on the device. 必须指定您在设备上信任此CA。 This is done by navigating on the device settings to: 通过在设备设置上导航至:
settings->general->about->Certificate Trust Settings 设置->常规->关于->证书信任设置
There you will see the newly installed Custom CA. 在那里,您将看到新安装的CustomCA。 It is switched off by default, so needs to be switched on. 默认情况下它是关闭的,因此需要将其打开。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.