{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Viruses. 的问题《Host supports TLS 1.2, AFNetworking handshake fail》','https://www.manongdao.com/q-726050.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am trying to post to a server that supports TLS 1.2 -- at least when I perform a GET in a browser I can verify that the communication uses TLS 1.2 and that the cert is validated by a cert authority. However, when I try to POST in my code to that server using AFNetworking iOS 9.0 (13A4305g) / Xcode 7-beta4 I'm getting a handshake failure.
AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager];
manager.requestSerializer = [AFHTTPRequestSerializer serializerWithContentType:@"application/x-www-form-urlencoded"];
manager.responseSerializer = [AFJSONResponseSerializer serializer];
[manager POST:requestString parameters:@{ @"apiKey" : MY_API_KEY,
@"payload" : [MyParams paramsForPOSTAsJSON] }
success:^(AFHTTPRequestOperation *operation, NSDictionary *responseDict) {
...
} failure:^(AFHTTPRequestOperation *operation, NSError *error) {
myLog(@"Communication failed: %@", error);
}];
The failure:
2015-08-06 15:01:08.398 MyApp[1795:394055] CFNetwork SSLHandshake failed (-9824)
2015-08-06 15:01:08.409 MyApp[1795:394055] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
2015-08-06 15:01:08.412 MyApp[1795:393999] MyClass sendDataToServer Communication failed: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." ...
Am I missing something? How can I dig deeper? Suppose it is a problem with the server and not the code - how could I snoop that?
Steffen led me to the answer, and it was indeed that I needed the appropriate ciphers. An easy way to look at the supported ciphers on a port is the cipherscan tool. The ciphers supported for App Transport Security can be found here. Once I was able to test on a fully configured website, I did not need any kind of whitelisting. For TLS sites without the ciphers, I can set
NSThirdPartyExceptionRequiresForwardSecrecyto false.UPDATE
If you take beta 3 or above of OS X El Capitan, you can use the following command:
This will tell you what entries you would need to add to your whitelist in order to make the connection succeed. This is a great help in demystifying SSL failures of type
CFNetwork SSLHandshake failed (-9801).