3

我正在尝试打开安全服务器的输入/输出流,但不断收到 CFNetwork SSLHandshake failed (-9806)

我已经为异常域等设置了 plist 值 

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>someserver.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.0</string>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

我也在 plist 中试过这个:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

这是我的代码:

-(void)startStream{


NSString *urlStr = @"https://stream.someserver.com";
NSURL *website = [NSURL URLWithString:urlStr];


CFReadStreamRef readStream;
CFWriteStreamRef writeStream;
CFStreamCreatePairWithSocketToHost(NULL, (CFStringRef)CFBridgingRetain([website host]), 443, &readStream, &writeStream);

NSInputStream *inputStream = (__bridge_transfer NSInputStream *)readStream;
NSOutputStream *outputStream = (__bridge_transfer NSOutputStream *)writeStream;


[inputStream setDelegate:self];
[outputStream setDelegate:self];

[inputStream scheduleInRunLoop:[NSRunLoop currentRunLoop] forMode:NSDefaultRunLoopMode];
[outputStream scheduleInRunLoop:[NSRunLoop currentRunLoop] forMode:NSDefaultRunLoopMode];


NSMutableDictionary *settings = [NSMutableDictionary dictionaryWithCapacity:1];
[settings setObject:(NSString *)NSStreamSocketSecurityLevelTLSv1 forKey:(NSString *)kCFStreamSSLLevel];
[settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLValidatesCertificateChain];
[settings setObject:@"stream.someserver.com" forKey:(NSString *)kCFStreamSSLPeerName];

CFWriteStreamSetProperty((CFWriteStreamRef)outputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);
CFReadStreamSetProperty((CFReadStreamRef)inputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);


[inputStream open];
[outputStream open];

}

在引发CFNetwork SSLHandshake failed (-9806)错误之前,流打开后有大约 5 秒的延迟。

注意:安全服务器不是我的,我不能在那里更改任何设置。它是一个经过测试和建立的服务器,有许多用户在流式传输

4

3 回答 3

1

我不确定 ssl 连接握手中哪个阶段失败,但您可以尝试将设置字典更改为如下内容:

 NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
                          [NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates,
                          [NSNumber numberWithBool:YES], kCFStreamSSLAllowsAnyRoot,
                          [NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredRoots,
                          [NSNumber numberWithBool:NO], kCFStreamSSLValidatesCertificateChain,
                          //kCFNull,kCFStreamSSLPeerName,
                          kCFStreamSocketSecurityLevelSSLv3, kCFStreamSSLLevel,
                          [NSNumber numberWithBool:YES], kCFStreamPropertyShouldCloseNativeSocket,
                          nil];

然后,如果成功,则删除上面定义的每个“安全漏洞”。

于 2017-02-05T16:02:40.090 回答
1

查看Apple 文档,您似乎使用了错误的键。

例如

  • NSThirdPartyExceptionMinimumTLSVersion一定是NSExceptionMinimumTLSVersion
  • NSTemporaryExceptionAllowsInsecureHTTPLoads一定是NSExceptionAllowsInsecureHTTPLoads
  • 和...
于 2017-02-20T10:24:24.943 回答
1

在您的 SSL 设置中,设置kCFStreamSSLValidatesCertificateChain@NO完全禁用服务器信任评估。

在您的委托实现中,当您第一次获得NSStreamEventHasSpaceAvailableorNSStreamEventHasBytesAvailable状态时,然后kCFStreamPropertySSLPeerTrust从流中检索属性。

您应该返回 a SecTrustRef,您可以评估并获取以下信息:

SecTrustRef trust = (SecTrustRef)[stream propertyForKey:kCFStreamPropertySSLPeerTrust];
SecTrustResultType trustResult;
OSStatus status = SecTrustEvaluate(trust, &trustResult);
if (status != errSecSuccess) {
    NSLog(@"failed to evaluate");
} else {
    OSStatus trustResultCode = SecTrustGetTrustResult(trust, &trustResult);
}

最后trustResultCode应该给你一个信任评估失败的具体原因。根据具体原因,您可以修改SecTrustRef或创建一个全新的以获得成功的评估。

Apple 技术说明HTTPS 服务器信任评估非常有用。

于 2017-02-21T13:47:06.893 回答