【发布时间】:2016-07-08 14:00:35
【问题描述】:
我正在开发与安装了 GoDaddy 证书的 HTTPS 服务器通信的 iOS 应用程序(https://www.godaddy.com/web-security/ssl-certificate - 第一个选项)。
这是错误日志
CFNetwork SSLHandshake failed (-9801)
2016-03-21 16:58:37.853 [2451:2129735] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9801, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x13f5cb700 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFNetworkCFStreamSSLErrorOriginalValue=-9801, kCFStreamErrorDomainKey=3, kCFStreamErrorCodeKey=-9801}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://******.com:9001/api/terms/, NSErrorFailingURLStringKey=https://******.com:9001/api/terms/, kCFStreamErrorDomainKey=3})
Server error
2016-03-21 16:58:37.927 [2451:2129735] CFNetwork SSLHandshake failed (-9801)
2016-03-21 16:58:37.928 [2451:2129735] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
我使用 ssllabs 测试证书,结果如下:
Signature algorithm: SHA256withRSA
Key: RSA 2048 bits (e 65537)
Issuer: Go Daddy Secure Certificate Authority - G2
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 INSECURE Yes
SSL 2 No
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 2048 bits FS 112
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS 112
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 2048 bits FS 128
TLS_RSA_WITH_SEED_CBC_SHA (0x96) 128
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) DH 2048 bits FS 128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) ECDH secp256r1 (eq. 3072 bits RSA) FS INSECURE 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 2048 bits FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
这是专门针对 iOS9 握手的:
Protocol Details
Server Name Indication (SNI) Yes
Secure Renegotiation Yes
TLS compression No
Session tickets No
OCSP stapling Yes
Signature algorithms SHA384/RSA, SHA256/RSA, SHA1/RSA, SHA384/ECDSA, SHA256/ECDSA, SHA1/ECDSA
Elliptic curves secp256r1, secp384r1, secp521r1
Next Protocol Negotiation Yes
Application Layer Protocol Negotiation Yes h2 h2-16 h2-15 h2-14 spdy/3.1 spdy/3 http/1.1
SSL 2 handshake compatibility No
对此有何建议?非常感谢!
【问题讨论】:
-
当您浏览该 URL 时,Google Chrome 是否显示任何证书错误?
-
如我所见,如果我使用 apache 服务器和 php 应用程序在 443 端口上运行它,那么它会显示
The connection uses TLS 1.2.。如果我使用https://github.com/teddziuba/django-sslserver运行(我需要的)Django 应用程序,那么它会显示The connection uses TLS 1.0.。我想这里的主要问题是我在 django 上运行的那个服务器