NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL solution



Add @implementation NSURLRequest(DataController) + (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host {     return YES; } @end This problem will be solved together with the following problems in AppDelegate nw_coretls_callback_handshake_message_block_invoke_3 tls_handshake_continue: [ -9807] When using third-party login and sharing functions, pay attention to the implementation of the following three methods. If there is no specific implementation, there may be problems - (BOOL)application:(UIApplication *)app             openURL :(NSURL *)url             options:(NSDictionary<NSString *,id> *)options



















- (BOOL)application:(UIApplication *)application openURL:(NSURL *)url sourceApplication:(NSString *)sourceApplication annotation:(id)annotation
- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url




http ://www.cnblogs.com/fishbay/p/7216142.htmlProblem



description
When developing the app, I encountered the problem of sending https requests in iOS 9 and reporting an error:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
We know , After iOS 9, all network requests use https by default. If you send an http request, the following error will be reported, but we can allow http requests by setting the value of NSAppTransportSecurity - NSAllowsArbitraryLoads to YES in info.plist:

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
info.plist



This solves the http request problem, but I send an https request, or the HTTP laod failed problem occurs. Although the above method can also be used, it is not a fundamental solution.

Solution
After analysis, it is suspected to be a TLS problem, because iOS 9 requires TLS1.2 version to encrypt data by default. If the server does not support TLS1.2, URLSession:task:didCompleteWithError: will return nil error, but the back-end development Colleagues said that the server supports TLS1.0, TLS1.1 and TLS1.2, which does not seem to be a problem with TLS. So don't worry, I tested the test server with nscurl, and it really does not support TLS1.2, and the problem is found.

# Add --verbose to display detailed debugging information
/usr/bin/nscurl --ats-diagnostics --verbose https://testresource.chaoaicai.com
It can be seen from the output that the server only supports TLS1.0, so let the background After the development colleagues tested and modified, they tested again and found that the server supports TLS1.2, and the network request of https is also normal.



ATS abnormal configuration
In fact , for the server does not support TLS1.2, and the client sends https requests, there are other solutions, that is to configure ATS, and set the minimum TLS version, as shown in the following info.plist:

<key>NSAppTransportSecurity< /key>
　　<dict>
　　<key>NSExceptionDomains</key>
　　<dict>
　　　　<!--your https domain name-->
　　　　<key>testresource.chaoaicai.com</key>
　　　　<dict>
　　　　　　<!--允许子域-->
　　　　　　<key>NSIncludesSubdomains</key>
　　　　　　<true/>
　　　　　　<!--TLS允许的最低版本号-->
　　　　　　<key>NSExceptionMinimumTLSVersion</key>
　　　　　　<string>TLSv1.0</string>
　　　　</dict>
　　</dict>
</dict> NSRequiresCertificateTransparency: Whether a valid signing certificate is required, YES (required), the default is NO NSExceptionRequiresForwardSecrecy: Whether pre-encryption is required, NO (encryption is allowed, but PFS: perfect forward secrecy is not supported), the default is YES NSExceptionMinimumTLSVersion: the lowest TLS Version NSExceptionAllowsInsecureHTTPLoads: whether to allow http requests, YES (allow), the default is NO NSIncludesSubdomains: whether to apply to subdomains, the default is NO
Among them, the specific setting items of NSExceptionDomains are described as follows, you can learn more about the exception configuration of ATS






This article only briefly introduces how to configure ATS and solve the problem that https cannot be accessed because the server does not support TLS1.2. To understand the specific workflow of https and TLS, please refer to related materials.