iOS 13 TLS 问题
iOS 13 TLS issue
我已经安装了 iOS 13 beta 版和 运行 我的框架,其中包含很多网络请求,但是我得到了这个错误:
2019-09-19 15:01:33.566811+0200 ---[395:25439] Connection 4: default TLS Trust evaluation failed(-9814)
2019-09-19 15:01:33.567022+0200 ---[395:25439] Connection 4: TLS Trust encountered error 3:-9814
2019-09-19 15:01:33.567110+0200 ---[395:25439] Connection 4: encountered error(3:-9814)
2019-09-19 15:01:33.569824+0200 ---[395:25439] Connection 4: unable to determine interface type without an established connection
2019-09-19 15:01:33.584952+0200 ---[395:25439] Task <D97FD611-0B48-4DCE-99C9-6A971E5E6524>.<4> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9814])
我试图找出导致该问题的原因,但没有成功。谁能帮帮我?
Apple 已为 TLS 服务器证书定义 stricter rules,从 iOS 13 和 macOS 10.15 开始。
All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:
TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:
TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
最后的注释:
Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.
我要添加一些额外的信息。要检查您的证书是否有效,您可以在钥匙串访问中打开它并检查它是否包含正确的信息:
- 还有不到 825 天就过期了;
- 签名算法不是 SHA-1(可能是 SHA-256);
- Public 密钥大小不小于 2048 位;
- 存在具有 "Server Authentication" 目的的扩展密钥使用扩展;
- 有包含服务器 DNS 的主题备用名称扩展。
OpenSSL 的配置示例:
[ ca ]
default_ca = CA_default
[ CA_default ]
default_md = sha256
default_days = 825
[ req ]
prompt = no
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = req_ext
[ req_distinguished_name ]
countryName = ...
stateOrProvinceName = ...
localityName = ...
organizationName = ...
commonName = google.com
[ req_ext ]
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = google.com
DNS.2 = www.google.com
要生成新的密钥证书对 运行 此命令:
openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -out certificate.crt -days 825 -config config.cnf
我已经安装了 iOS 13 beta 版和 运行 我的框架,其中包含很多网络请求,但是我得到了这个错误:
2019-09-19 15:01:33.566811+0200 ---[395:25439] Connection 4: default TLS Trust evaluation failed(-9814)
2019-09-19 15:01:33.567022+0200 ---[395:25439] Connection 4: TLS Trust encountered error 3:-9814
2019-09-19 15:01:33.567110+0200 ---[395:25439] Connection 4: encountered error(3:-9814)
2019-09-19 15:01:33.569824+0200 ---[395:25439] Connection 4: unable to determine interface type without an established connection
2019-09-19 15:01:33.584952+0200 ---[395:25439] Task <D97FD611-0B48-4DCE-99C9-6A971E5E6524>.<4> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9814])
我试图找出导致该问题的原因,但没有成功。谁能帮帮我?
Apple 已为 TLS 服务器证书定义 stricter rules,从 iOS 13 和 macOS 10.15 开始。
All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:
TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:
TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
最后的注释:
Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.
我要添加一些额外的信息。要检查您的证书是否有效,您可以在钥匙串访问中打开它并检查它是否包含正确的信息:
- 还有不到 825 天就过期了;
- 签名算法不是 SHA-1(可能是 SHA-256);
- Public 密钥大小不小于 2048 位;
- 存在具有 "Server Authentication" 目的的扩展密钥使用扩展;
- 有包含服务器 DNS 的主题备用名称扩展。
OpenSSL 的配置示例:
[ ca ]
default_ca = CA_default
[ CA_default ]
default_md = sha256
default_days = 825
[ req ]
prompt = no
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = req_ext
[ req_distinguished_name ]
countryName = ...
stateOrProvinceName = ...
localityName = ...
organizationName = ...
commonName = google.com
[ req_ext ]
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = google.com
DNS.2 = www.google.com
要生成新的密钥证书对 运行 此命令:
openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -out certificate.crt -days 825 -config config.cnf