{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 时光不老,我们不散 的问题《“CFNetwork SSLHandshake failed (-9807)” with local》','https://www.manongdao.com/q-435742.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to use SSL TCP connection between openssl on OS X and iOS(8.1 version). Exception Domains has 192.168.0.104.
Swift iOS code:
class SSLSocketLite {
// The input stream.
private var inStream: NSInputStream?
// The output stream.
private var outStream: NSOutputStream?
// The host to connect to.
private var host: String
// The port to connect on.
private var port: Int
init(inHost:String, inPort:Int) {
host = inHost
port = inPort
NSStream.getStreamsToHostWithName(host, port: port, inputStream: &inStream, outputStream: &outStream)
}
func Open() {
inStream?.open()
outStream?.open()
inStream?.setProperty(NSStreamSocketSecurityLevelTLSv1, forKey: NSStreamSocketSecurityLevelKey)
outStream?.setProperty(NSStreamSocketSecurityLevelTLSv1, forKey: NSStreamSocketSecurityLevelKey)
inStream?.scheduleInRunLoop(.mainRunLoop(), forMode: NSDefaultRunLoopMode)
outStream?.scheduleInRunLoop(.mainRunLoop(), forMode: NSDefaultRunLoopMode)
}
func Read() -> String! {
var buffer = Array<UInt8>(count:1024, repeatedValue: 0)
if inStream!.hasBytesAvailable {
inStream!.read(&buffer, maxLength: 1024)
let responseString = NSString(bytes: buffer, length: buffer.count, encoding: NSUTF8StringEncoding) as! String
return responseString
}
return nil
}
func Write(msg:String) {
let data:NSData = msg.dataUsingEncoding(NSUTF8StringEncoding, allowLossyConversion: false)!
outStream!.write(UnsafePointer(data.bytes), maxLength: data.length)
}
func Close() {
inStream?.close()
outStream?.close()
}
}
class ViewController: UIViewController {
override func viewDidLoad() {
super.viewDidLoad()
let sslsock = SSLSocketLite(inHost: "192.168.0.104", inPort: 1678)
sslsock.Open()
}
override func didReceiveMemoryWarning() {
super.didReceiveMemoryWarning()
// Dispose of any resources that can be recreated.
}
}
On the OS X side I created certificate and key using:
openssl req -x509 -newkey rsa:1024 -keyout key.key -out key.crt -days 365 -nodes
and launched TCP SSL server using:
openssl s_server -key key.key -cert key.crt -accept 1678
After that I got CFNetwork SSLHandshake failed (-9807) on the iOS side and bad gethostbyaddr on the OS X side. How can I solve this issue?
UPD:
1.touch openssl-ca.cnf
2.Copy-pasted in openssl-ca.cnf. One line changed:
commonName_default = localhost
3.openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
4.touch openssl-server.cnf
5.Copy-pasted in openssl-server.cnf. Two lines changed:
commonName_default = localhost
DNS.1 = localhost
6.openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out servercert.csr -outform PEM
7.Added 2 +1 sections in openssl-ca.cnf:
[ CA_default ]
...
base_dir = .
certificate = $base_dir/cacert.pem # The CA certifcate
private_key = $base_dir/cakey.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
...
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
8.touch index.txt
9.echo '01' > serial.txt
10.openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles servercert.csr
11.openssl x509 -in servercert.pem -inform PEM -out servercert.der -outform DER
12.Added servercert.der in iOS project
13.let sslsock = SSLSocketLite(inHost: "localhost", inPort: 1678)
14.Exception Domains -> +localhost
15.openssl s_server -key serverkey.pem -cert servercert.pem -accept 1678
Final version of openssl-ca.cnf:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 1000 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
base_dir = .
certificate = $base_dir/cacert.pem # The CA certifcate
private_key = $base_dir/cakey.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
####################################################################
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Maryland
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = Organization Name (eg, company)
organizationName_default = Test CA, Limited
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = Server Research Department
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ ca_extensions ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
Final version of openssl-server.cnf:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 2048
default_keyfile = serverkey.pem
distinguished_name = server_distinguished_name
req_extensions = server_req_extensions
string_mask = utf8only
####################################################################
[ server_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MD
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = Organization Name (eg, company)
organizationName_default = Test CA, Limited
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = localhost
iOS output:
SwiftPlayground[917:31077] CFNetwork SSLHandshake failed (-9807)
OpenSSL s_server output(nothing happened):
Using default temp DH parameters Using default temp ECDH parameters ACCEPT