![](/img/trans.png)
[英]Would iOS AFNetwork SSL Pinning mode provide additional security bonus if valid certificate deployed
[英]SSL certificate is not valid on iOS
我的iOS应用程序有一个简单的后端。 它曾经可以正常工作,但最近SSL连接仅在iOS上开始失败。
奇怪的是,它在星期五某个时候开始失败,然后又重新开始工作。 现在,我无法在iOS上使用后端。
我所做的所有证书检查均显示一切正常,并且TLS 1.2正常运行。 但是iOS(只有iOS和macOS才可以使用iOS)表示SSL证书无效。
试图续订证书-没有帮助。 证书不是自签名的(来自letsencrypt.org)
这是一个测试链接: https : //api.dartoapp.com : 9001/station/test1
SSL实验室报告: https : //www.ssllabs.com/ssltest/analyze.html?d=api.dartoapp.com
NSURLRequest错误:
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x1d430dec0>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<cert(0x1400cec00) s: api.dartoapp.com i: Let's Encrypt Authority X3>"
), NSUnderlyingError=0x1d084bc40 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x1d430dec0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x1400cec00) s: api.dartoapp.com i: Let's Encrypt Authority X3>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://api.dartoapp.com:9001/station/test1, NSErrorFailingURLStringKey=https://api.dartoapp.com:9001/station/test1, NSErrorClientCertificateStateKey=0}
卷曲输出:
~ ⟩ curl -kvI https://api.dartoapp.com:9001/station/test1
* Trying 54.154.203.139...
* TCP_NODELAY set
* Connected to api.dartoapp.com (54.154.203.139) port 9001 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=api.dartoapp.com
* start date: Mar 11 18:18:58 2018 GMT
* expire date: Jun 9 18:18:58 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7ffeac806c00)
> HEAD /station/test1 HTTP/2
> Host: api.dartoapp.com:9001
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< content-type: application/json; charset=utf-8
content-type: application/json; charset=utf-8
< content-length: 471
content-length: 471
< date: Sun, 11 Mar 2018 19:38:24 GMT
date: Sun, 11 Mar 2018 19:38:24 GMT
好的,问题是我的服务器无法发送中间证书。 如果以前没问题,但是最近的LetsEncrypt更改使它成为必需。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.