间歇性 HTTP 加载失败 kCFStreamErrorDomainSSL (-9802)
Intermittent HTTP load failed kCFStreamErrorDomainSSL (-9802)
我在尝试从 Twitter 加载图像文件时间歇性地出现此错误,URL 如下所示:https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg
以 ios8 为目标并在两个 ios9 设备和模拟器上间歇性地失败,通常至少有 20% 的时间。
我有一个带有重新加载按钮的测试应用程序,可以重试。如果第一次有效,则每次后续重新加载似乎都有效(可能是缓存?)。如果第一次失败,最终会在重试几次(比如 5-10 次)后加载成功。
Twitter 肯定有适当的 SSL 设置。怎么回事?
我不想完全禁用 ALS,甚至不想只针对这个域禁用 ALS,理想情况下。
import UIKit
class ViewController: UIViewController {
@IBOutlet weak var myImageView: UIImageView!
@IBAction func didPressReload(sender: AnyObject) {
loadImage()
}
func loadImage() {
myImageView.imageFromUrl("https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg")
}
}
extension UIImageView {
public func imageFromUrl(urlString: String) {
if let url = NSURL(string: urlString) {
let request = NSURLRequest(URL: url)
NSURLConnection.sendAsynchronousRequest(request, queue: NSOperationQueue.mainQueue()) {
(response: NSURLResponse?, data: NSData?, error: NSError?) in
if (error != nil) {
NSLog("Failed to load URL \(response?.URL?.absoluteString): \(error)")
}
if let imageData = data as NSData? {
self.image = UIImage(data: imageData)
}
}
}
}
}
失败时的错误详情:
2016-06-18 18:17:19.975 TestSSL[1027:420188] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
2016-06-18 18:17:20.011 TestSSL[1027:420137] Failed to load URL nil: Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x14597da0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x146977b0>, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerCertificates=<CFArray 0x14595f90 [0x3b0ca840]>{type = immutable, count = 4, values = (
0 : <cert(0x14696590) s: *.twimg.com i: DigiCert High Assurance CA-3>
1 : <cert(0x14696a90) s: DigiCert High Assurance CA-3 i: DigiCert High Assurance EV Root CA>
2 : <cert(0x14696eb0) s: DigiCert High Assurance EV Root CA i: Baltimore CyberTrust Root>
3 : <cert(0x146971e0) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>
)}, NSErrorFailingURLStringKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg, NSErrorFailingURLKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg}}, _kCFStreamErrorCodeKey=-9802, NSErrorFailingURLStringKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg, NSErrorPeerCertificateChainKey=<CFArray 0x14595f90 [0x3b0ca840]>{type = immutable, count = 4, values = (
0 : <cert(0x14696590) s: *.twimg.com i: DigiCert High Assurance CA-3>
1 : <cert(0x14696a90) s: DigiCert High Assurance CA-3 i: DigiCert High Assurance EV Root CA>
2 : <cert(0x14696eb0) s: DigiCert High Assurance EV Root CA i: Baltimore CyberTrust Root>
3 : <cert(0x146971e0) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>
)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x146977b0>, NSErrorFailingURLKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg})
我的错误假设是 "surely twitter has appropriate SSL setup"。我在Chrome中反复重载发现,有时只提供SHA-1证书。
也许 Twitter 试图支持旧客户端这一事实与此有关:
We’re doing our part by implementing SHA-256 certificates on our
Twitter endpoints, and using cert switching to only serve SHA-1
certificates if we detect older clients without SHA-256 support.
来自 https://blog.twitter.com/2015/sunsetting-sha-1
Twitter 似乎有时会变得混乱。所以我唯一的选择似乎是为我的应用程序允许 ALS 例外。
我希望我的自我回答问题对其他人有用。
我在尝试从 Twitter 加载图像文件时间歇性地出现此错误,URL 如下所示:https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg
以 ios8 为目标并在两个 ios9 设备和模拟器上间歇性地失败,通常至少有 20% 的时间。
我有一个带有重新加载按钮的测试应用程序,可以重试。如果第一次有效,则每次后续重新加载似乎都有效(可能是缓存?)。如果第一次失败,最终会在重试几次(比如 5-10 次)后加载成功。
Twitter 肯定有适当的 SSL 设置。怎么回事?
我不想完全禁用 ALS,甚至不想只针对这个域禁用 ALS,理想情况下。
import UIKit
class ViewController: UIViewController {
@IBOutlet weak var myImageView: UIImageView!
@IBAction func didPressReload(sender: AnyObject) {
loadImage()
}
func loadImage() {
myImageView.imageFromUrl("https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg")
}
}
extension UIImageView {
public func imageFromUrl(urlString: String) {
if let url = NSURL(string: urlString) {
let request = NSURLRequest(URL: url)
NSURLConnection.sendAsynchronousRequest(request, queue: NSOperationQueue.mainQueue()) {
(response: NSURLResponse?, data: NSData?, error: NSError?) in
if (error != nil) {
NSLog("Failed to load URL \(response?.URL?.absoluteString): \(error)")
}
if let imageData = data as NSData? {
self.image = UIImage(data: imageData)
}
}
}
}
}
失败时的错误详情:
2016-06-18 18:17:19.975 TestSSL[1027:420188] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
2016-06-18 18:17:20.011 TestSSL[1027:420137] Failed to load URL nil: Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x14597da0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x146977b0>, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerCertificates=<CFArray 0x14595f90 [0x3b0ca840]>{type = immutable, count = 4, values = (
0 : <cert(0x14696590) s: *.twimg.com i: DigiCert High Assurance CA-3>
1 : <cert(0x14696a90) s: DigiCert High Assurance CA-3 i: DigiCert High Assurance EV Root CA>
2 : <cert(0x14696eb0) s: DigiCert High Assurance EV Root CA i: Baltimore CyberTrust Root>
3 : <cert(0x146971e0) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>
)}, NSErrorFailingURLStringKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg, NSErrorFailingURLKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg}}, _kCFStreamErrorCodeKey=-9802, NSErrorFailingURLStringKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg, NSErrorPeerCertificateChainKey=<CFArray 0x14595f90 [0x3b0ca840]>{type = immutable, count = 4, values = (
0 : <cert(0x14696590) s: *.twimg.com i: DigiCert High Assurance CA-3>
1 : <cert(0x14696a90) s: DigiCert High Assurance CA-3 i: DigiCert High Assurance EV Root CA>
2 : <cert(0x14696eb0) s: DigiCert High Assurance EV Root CA i: Baltimore CyberTrust Root>
3 : <cert(0x146971e0) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>
)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x146977b0>, NSErrorFailingURLKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg})
我的错误假设是 "surely twitter has appropriate SSL setup"。我在Chrome中反复重载发现,有时只提供SHA-1证书。
也许 Twitter 试图支持旧客户端这一事实与此有关:
We’re doing our part by implementing SHA-256 certificates on our Twitter endpoints, and using cert switching to only serve SHA-1 certificates if we detect older clients without SHA-256 support.
来自 https://blog.twitter.com/2015/sunsetting-sha-1
Twitter 似乎有时会变得混乱。所以我唯一的选择似乎是为我的应用程序允许 ALS 例外。
我希望我的自我回答问题对其他人有用。