“CFNetwork SSLHandshake失败(-9807)”与“exception域”中的本地IP
我正在尝试在OS X和iOS(8.1版本)上使用openssl之间的SSL TCP连接。 Exception Domains有192.168.0.104 。
Swift iOS代码:
class SSLSocketLite { // The input stream. private var inStream: NSInputStream? // The output stream. private var outStream: NSOutputStream? // The host to connect to. private var host: String // The port to connect on. private var port: Int init(inHost:String, inPort:Int) { host = inHost port = inPort NSStream.getStreamsToHostWithName(host, port: port, inputStream: &inStream, outputStream: &outStream) } func Open() { inStream?.open() outStream?.open() inStream?.setProperty(NSStreamSocketSecurityLevelTLSv1, forKey: NSStreamSocketSecurityLevelKey) outStream?.setProperty(NSStreamSocketSecurityLevelTLSv1, forKey: NSStreamSocketSecurityLevelKey) inStream?.scheduleInRunLoop(.mainRunLoop(), forMode: NSDefaultRunLoopMode) outStream?.scheduleInRunLoop(.mainRunLoop(), forMode: NSDefaultRunLoopMode) } func Read() -> String! { var buffer = Array<UInt8>(count:1024, repeatedValue: 0) if inStream!.hasBytesAvailable { inStream!.read(&buffer, maxLength: 1024) let responseString = NSString(bytes: buffer, length: buffer.count, encoding: NSUTF8StringEncoding) as! String return responseString } return nil } func Write(msg:String) { let data:NSData = msg.dataUsingEncoding(NSUTF8StringEncoding, allowLossyConversion: false)! outStream!.write(UnsafePointer(data.bytes), maxLength: data.length) } func Close() { inStream?.close() outStream?.close() } } class ViewController: UIViewController { override func viewDidLoad() { super.viewDidLoad() let sslsock = SSLSocketLite(inHost: "192.168.0.104", inPort: 1678) sslsock.Open() } override func didReceiveMemoryWarning() { super.didReceiveMemoryWarning() // Dispose of any resources that can be recreated. } }
在OS X上,我使用以下方法创build证书和密钥:
openssl req -x509 -newkey rsa:1024 -keyout key.key -out key.crt -days 365 -nodes
并启动TCP SSL服务器使用:
openssl s_server -key key.key -cert key.crt -accept 1678
之后,我在iOS端获得CFNetwork SSLHandshake failed (-9807) ,在OS X端获得bad gethostbyaddr 。 我该如何解决这个问题?
UPD:
1. touch openssl-ca.cnf
2.复制到openssl-ca.cnf中。 一行改变了:
commonName_default = localhost
3. openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
4. touch openssl-server.cnf
5.复制到openssl-server.cnf中。 两行改变了:
commonName_default = localhost
DNS.1 = localhost
6. openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out servercert.csr -outform PEM
7.在openssl-ca.cnf中增加了2个部分:
[ CA_default ] ... base_dir = . certificate = $base_dir/cacert.pem # The CA certifcate private_key = $base_dir/cakey.pem # The CA private key new_certs_dir = $base_dir # Location for new certs after signing database = $base_dir/index.txt # Database index file serial = $base_dir/serial.txt # The current serial number unique_subject = no # Set to 'no' to allow creation of # several certificates with same subject.
…
#################################################################### [ signing_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ signing_req ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment
8. touch index.txt
9. echo '01' > serial.txt
10. openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles servercert.csr
11. openssl x509 -in servercert.pem -inform PEM -out servercert.der -outform DER
12.在iOS项目中添加了servercert.der
13. let sslsock = SSLSocketLite(inHost: "localhost", inPort: 1678)
14.Domain – > + localhost
15. openssl s_server -key serverkey.pem -cert servercert.pem -accept 1678
openssl-ca.cnf最终版本:
HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ ca ] default_ca = CA_default # The default ca section [ CA_default ] default_days = 1000 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use public key default MD preserve = no # keep passed DN ordering x509_extensions = ca_extensions # The extensions to add to the cert email_in_dn = no # Don't concat the email in the DN copy_extensions = copy # Required to copy SANs from CSR to cert base_dir = . certificate = $base_dir/cacert.pem # The CA certifcate private_key = $base_dir/cakey.pem # The CA private key new_certs_dir = $base_dir # Location for new certs after signing database = $base_dir/index.txt # Database index file serial = $base_dir/serial.txt # The current serial number unique_subject = no # Set to 'no' to allow creation of # several certificates with same subject. #################################################################### [ req ] default_bits = 4096 default_keyfile = cakey.pem distinguished_name = ca_distinguished_name x509_extensions = ca_extensions string_mask = utf8only #################################################################### [ ca_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Maryland localityName = Locality Name (eg, city) localityName_default = Baltimore organizationName = Organization Name (eg, company) organizationName_default = Test CA, Limited organizationalUnitName = Organizational Unit (eg, division) organizationalUnitName_default = Server Research Department commonName = Common Name (eg server FQDN or YOUR name) commonName_default = localhost emailAddress = Email Address emailAddress_default = test@example.com #################################################################### [ ca_extensions ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always, issuer basicConstraints = critical, CA:true keyUsage = keyCertSign, cRLSign #################################################################### [ signing_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ signing_req ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment
openssl-server.cnf的最终版本:
HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ req ] default_bits = 2048 default_keyfile = serverkey.pem distinguished_name = server_distinguished_name req_extensions = server_req_extensions string_mask = utf8only #################################################################### [ server_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = MD localityName = Locality Name (eg, city) localityName_default = Baltimore organizationName = Organization Name (eg, company) organizationName_default = Test CA, Limited commonName = Common Name (eg server FQDN or YOUR name) commonName_default = localhost emailAddress = Email Address emailAddress_default = test@example.com #################################################################### [ server_req_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" #################################################################### [ alternate_names ] DNS.1 = localhost
iOS输出:
SwiftPlayground [917:31077] CFNetwork SSLHandshake失败(-9807)
OpenSSL s_server输出(什么都没有发生):
Using default temp DH parameters Using default temp ECDH parameters ACCEPT