我正在尝试打开到安全服务器的输入/输出流,但不断得到 CFNetwork SSLHandshake失败(-9806(
我已经为异常域等设置了 plist 值
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>someserver.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
我也在 plist 中尝试过这个:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
这是我的代码:
-(void)startStream{
NSString *urlStr = @"https://stream.someserver.com";
NSURL *website = [NSURL URLWithString:urlStr];
CFReadStreamRef readStream;
CFWriteStreamRef writeStream;
CFStreamCreatePairWithSocketToHost(NULL, (CFStringRef)CFBridgingRetain([website host]), 443, &readStream, &writeStream);
NSInputStream *inputStream = (__bridge_transfer NSInputStream *)readStream;
NSOutputStream *outputStream = (__bridge_transfer NSOutputStream *)writeStream;
[inputStream setDelegate:self];
[outputStream setDelegate:self];
[inputStream scheduleInRunLoop:[NSRunLoop currentRunLoop] forMode:NSDefaultRunLoopMode];
[outputStream scheduleInRunLoop:[NSRunLoop currentRunLoop] forMode:NSDefaultRunLoopMode];
NSMutableDictionary *settings = [NSMutableDictionary dictionaryWithCapacity:1];
[settings setObject:(NSString *)NSStreamSocketSecurityLevelTLSv1 forKey:(NSString *)kCFStreamSSLLevel];
[settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLValidatesCertificateChain];
[settings setObject:@"stream.someserver.com" forKey:(NSString *)kCFStreamSSLPeerName];
CFWriteStreamSetProperty((CFWriteStreamRef)outputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);
CFReadStreamSetProperty((CFReadStreamRef)inputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);
[inputStream open];
[outputStream open];
}
在流打开后,在抛出 CFNetwork SSLHandshake 失败 (-9806( 错误之前,会有大约 5 秒的延迟。
注意:安全服务器不是我的,我无法更改那里的任何设置。它是一个经过测试和建立的服务器,有许多用户流式传输
我不确定哪个阶段在 ssl 连接握手中失败,但您可以尝试将设置字典更改为如下所示:
NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates,
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsAnyRoot,
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredRoots,
[NSNumber numberWithBool:NO], kCFStreamSSLValidatesCertificateChain,
//kCFNull,kCFStreamSSLPeerName,
kCFStreamSocketSecurityLevelSSLv3, kCFStreamSSLLevel,
[NSNumber numberWithBool:YES], kCFStreamPropertyShouldCloseNativeSocket,
nil];
然后,如果成功,请删除上面定义的每个"安全漏洞"。
查看Apple文档,您似乎使用了错误的键。
例如
-
NSThirdPartyExceptionMinimumTLSVersion
必须NSExceptionMinimumTLSVersion
-
NSTemporaryExceptionAllowsInsecureHTTPLoads
必须NSExceptionAllowsInsecureHTTPLoads
- 和ECC...
在 SSL 设置中,将kCFStreamSSLValidatesCertificateChain
设置为 @NO
以完全禁用服务器信任评估。
在委托实现中,首次获取NSStreamEventHasSpaceAvailable
或NSStreamEventHasBytesAvailable
状态时,从流中检索 kCFStreamPropertySSLPeerTrust
属性。
您应该返回一个SecTrustRef
,您可以评估并获取有关以下内容的信息:
SecTrustRef trust = (SecTrustRef)[stream propertyForKey:kCFStreamPropertySSLPeerTrust];
SecTrustResultType trustResult;
OSStatus status = SecTrustEvaluate(trust, &trustResult);
if (status != errSecSuccess) {
NSLog(@"failed to evaluate");
} else {
OSStatus trustResultCode = SecTrustGetTrustResult(trust, &trustResult);
}
最后的trustResultCode
应该给出信任评估失败的具体原因。根据具体原因,您可以修改SecTrustRef
或创建一个全新的以获得成功的评估。
Apple Tech Note HTTPS Server Trust Evaluation非常翔实。