间歇性 HTTP 加载失败 kCFStreamErrorDomainSSL (-9802)

Question

我在尝试从 twitter 加载图像文件时间歇性发生此错误，其 URL 如下：https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg

针对 ios8 并在两个 ios9 设备和模拟器上失败，间歇性地，通常至少有 20% 的时间。

我有一个带有重新加载按钮的测试应用程序，允许重试。如果第一次有效，则每次后续重新加载似乎都有效（也许是缓存？）。如果第一次失败，最终会在重试几次（比如 5-10 次）后成功加载。

Twitter 肯定有适当的 SSL 设置。怎么回事？

理想情况下，我不想完全禁用 ALS，甚至只是为了这个域。

import UIKit

class ViewController: UIViewController {

    @IBOutlet weak var myImageView: UIImageView!

    @IBAction func didPressReload(sender: AnyObject) {

        loadImage()
    }

    func loadImage() {
        myImageView.imageFromUrl("https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg")
    }
}

extension UIImageView {
    public func imageFromUrl(urlString: String) {
        if let url = NSURL(string: urlString) {
            let request = NSURLRequest(URL: url)
            NSURLConnection.sendAsynchronousRequest(request, queue: NSOperationQueue.mainQueue()) {

                (response: NSURLResponse?, data: NSData?, error: NSError?) in

                if (error != nil) {
                    NSLog("Failed to load URL \(response?.URL?.absoluteString): \(error)")

                }

                if let imageData = data as NSData? {
                    self.image = UIImage(data: imageData)
                }
            }
        }
    }
}

失败时的错误详情：

2016-06-18 18:17:19.975 TestSSL[1027:420188] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
2016-06-18 18:17:20.011 TestSSL[1027:420137] Failed to load URL nil: Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x14597da0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x146977b0>, _kCFStreamErrorDomainKey=3, kCFStreamPropertySSLPeerCertificates=<CFArray 0x14595f90 [0x3b0ca840]>{type = immutable, count = 4, values = (
    0 : <cert(0x14696590) s: *.twimg.com i: DigiCert High Assurance CA-3>
    1 : <cert(0x14696a90) s: DigiCert High Assurance CA-3 i: DigiCert High Assurance EV Root CA>
    2 : <cert(0x14696eb0) s: DigiCert High Assurance EV Root CA i: Baltimore CyberTrust Root>
    3 : <cert(0x146971e0) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>
)}, NSErrorFailingURLStringKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg, NSErrorFailingURLKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg}}, _kCFStreamErrorCodeKey=-9802, NSErrorFailingURLStringKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg, NSErrorPeerCertificateChainKey=<CFArray 0x14595f90 [0x3b0ca840]>{type = immutable, count = 4, values = (
    0 : <cert(0x14696590) s: *.twimg.com i: DigiCert High Assurance CA-3>
    1 : <cert(0x14696a90) s: DigiCert High Assurance CA-3 i: DigiCert High Assurance EV Root CA>
    2 : <cert(0x14696eb0) s: DigiCert High Assurance EV Root CA i: Baltimore CyberTrust Root>
    3 : <cert(0x146971e0) s: Baltimore CyberTrust Root i: Baltimore CyberTrust Root>
)}, NSErrorClientCertificateStateKey=0, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x146977b0>, NSErrorFailingURLKey=https://pbs.twimg.com/media/Ck-9Oc6XIAAIb8B.jpg})

Answer 1

我的错误是假设“Twitter 肯定有适当的 SSL 设置”。我通过在 Chrome 中反复重新加载发现，有时只提供了一个 SHA-1 证书。

也许 twitter 试图支持旧版客户端的事实与此有关：

我们正在尽自己的一份力量在我们的 Twitter 端点，并使用证书切换仅服务 SHA-1 如果我们检测到不支持 SHA-256 的旧客户端，则证书。

来自https://blog.twitter.com/2015/sunsetting-sha-1

似乎 twitter 有时会变得混乱。所以我唯一的选择似乎是允许我的应用使用 ALS 例外。

我希望我自己回答的问题对其他人有用。