search

pokeb / asi-http-request

Easy to use CFNetwork wrapper for HTTP requests, Objective-C, Mac OS X and iPhone
http://allseeing-i.com/ASIHTTPRequest
Other
5.78k stars 1.41k forks source link

SSL Negotiation Error (OSStatus error -9819) #132

Open erikvip opened 13 years ago

erikvip commented 13 years ago

Receiving this error when trying to connect to an HTTPS site:

Error Domain=ASIHTTPRequestErrorDomain Code=1 "A connection failure occurred" UserInfo=0x80090e0 {NSUnderlyingError=0x8002d50 "The operation couldn’t be completed. (OSStatus error -9819.)", NSLocalizedDescription=A connection failure occurred}

The server does not support TLS, only SSLv3. Tracing the SSL handshake in Wireshark, I can see the client is requesting TLS1.0 but the server does not support. The client never 'falls back' to SSLv3 and the connection dies with the above error.

I'm not certain if this is a problem w/ ASIHTTP, as it does not appear to handle the SSL Negotiation (CFStream).

Setting kCFStreamSSLLevel to kCFStreamSocketSecurityLevelSSLv3 resolves the issue for me.

Fix

I've added a property to ASIHTTPRequest so we can specify the SSL security level to use.

Note: I'm new to Objective-C, I could have messed something up...but it works for me.

ASIHTTPRequest.h(365):

// Requested SSL security level.  See: http://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CFSocketStreamRef/Reference/reference.html
CFStringRef *sslSecurityLevel;

ASIHTTPRequest.h(952):

@property (assign) CFStringRef *sslSecurityLevel;

ASIHTTPRequest.m(1146):

// Use requested SSL security level
if ([self sslSecurityLevel] != nil) {
    [sslProperties setObject:(NSString *)[self sslSecurityLevel] forKey:(NSString *)kCFStreamSSLLevel];
}

ASIHTTPRequest.m(4546):

@synthesize sslSecurityLevel;

Example

[request setSslSecurityLevel:(CFStringRef *)kCFStreamSocketSecurityLevelSSLv3];
aidansteele commented 13 years ago

Is there a reason you cannot use kCFStreamSocketSecurityLevelNegotiatedSSL? Its description seems to imply that it should handle falling back to SSL should TLS not be supported.

erikvip commented 13 years ago

I tried using kCFStreamSocketSecurityLevelNegotiatedSSL before making the property, but the problem remains.

It does not appear to auto negotiate anything, it only tries TLS and then gives up.

I haven't seen this issue on any other SSL sites (I've only tested a few), just the one I need to connect to exhibits this problem.

But, this site works fine in every other browser (including Mobile Safari) - may be a mis-configured SSL server?

Would be nice to have the option of specifying the SSL version though, just incase it's necessary for somebody (as in my case).

Supported Ciphers

Using the script from here, the supported ciphers on the server are listed below.

I'm not an SSL guru & don't have access to modify this SSL config, but on this particular config, ASIHTTP does not connect without the kCFStreamSocketSecurityLevelSSLv3 option. 

Testing ADH-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-SEED-SHA...NO (sslv3 alert handshake failure)
Testing SEED-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES128-SHA...NO (sslv3 alert handshake failure)
Testing AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-DES-CBC3-SHA...YES
Testing ADH-DES-CBC-SHA...YES
Testing EXP-ADH-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing ADH-RC4-MD5...YES
Testing EXP-ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing EDH-RSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing EDH-RSA-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-EDH-RSA-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EDH-DSS-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing EDH-DSS-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-EDH-DSS-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing DES-CBC3-SHA...YES
Testing DES-CBC-SHA...YES
Testing EXP-DES-CBC-SHA...YES
Testing EXP-RC2-CBC-MD5...NO (sslv3 alert handshake failure)
Testing RC4-SHA...YES
Testing RC4-MD5...YES
Testing EXP-RC4-MD5...YES
Testing DES-CBC3-MD5...NO (sslv3 alert handshake failure)
Testing DES-CBC-MD5...NO (sslv3 alert handshake failure)
Testing EXP-RC2-CBC-MD5...NO (sslv3 alert handshake failure)
Testing RC2-CBC-MD5...NO (sslv3 alert handshake failure)
Testing EXP-RC4-MD5...YES
Testing RC4-MD5...YES
Testing NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-MD5...NO (sslv3 alert handshake failure)
aidansteele commented 13 years ago

Perhaps it is a misconfigured SSL server, but this would be beyond me. Just wanted to check that you were aware of the auto-negotiation option.

In any case, I agree: having the ability to specify a version would be handy sometimes.