Open erikvip opened 13 years ago
Is there a reason you cannot use kCFStreamSocketSecurityLevelNegotiatedSSL
? Its description seems to imply that it should handle falling back to SSL should TLS not be supported.
I tried using kCFStreamSocketSecurityLevelNegotiatedSSL before making the property, but the problem remains.
It does not appear to auto negotiate anything, it only tries TLS and then gives up.
I haven't seen this issue on any other SSL sites (I've only tested a few), just the one I need to connect to exhibits this problem.
But, this site works fine in every other browser (including Mobile Safari) - may be a mis-configured SSL server?
Would be nice to have the option of specifying the SSL version though, just incase it's necessary for somebody (as in my case).
Using the script from here, the supported ciphers on the server are listed below.
I'm not an SSL guru & don't have access to modify this SSL config, but on this particular config, ASIHTTP does not connect without the kCFStreamSocketSecurityLevelSSLv3 option.
Testing ADH-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-SEED-SHA...NO (sslv3 alert handshake failure)
Testing SEED-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES128-SHA...NO (sslv3 alert handshake failure)
Testing AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-DES-CBC3-SHA...YES
Testing ADH-DES-CBC-SHA...YES
Testing EXP-ADH-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing ADH-RC4-MD5...YES
Testing EXP-ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing EDH-RSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing EDH-RSA-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-EDH-RSA-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EDH-DSS-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing EDH-DSS-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-EDH-DSS-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing DES-CBC3-SHA...YES
Testing DES-CBC-SHA...YES
Testing EXP-DES-CBC-SHA...YES
Testing EXP-RC2-CBC-MD5...NO (sslv3 alert handshake failure)
Testing RC4-SHA...YES
Testing RC4-MD5...YES
Testing EXP-RC4-MD5...YES
Testing DES-CBC3-MD5...NO (sslv3 alert handshake failure)
Testing DES-CBC-MD5...NO (sslv3 alert handshake failure)
Testing EXP-RC2-CBC-MD5...NO (sslv3 alert handshake failure)
Testing RC2-CBC-MD5...NO (sslv3 alert handshake failure)
Testing EXP-RC4-MD5...YES
Testing RC4-MD5...YES
Testing NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-MD5...NO (sslv3 alert handshake failure)
Perhaps it is a misconfigured SSL server, but this would be beyond me. Just wanted to check that you were aware of the auto-negotiation option.
In any case, I agree: having the ability to specify a version would be handy sometimes.
Receiving this error when trying to connect to an HTTPS site:
Error Domain=ASIHTTPRequestErrorDomain Code=1 "A connection failure occurred" UserInfo=0x80090e0 {NSUnderlyingError=0x8002d50 "The operation couldn’t be completed. (OSStatus error -9819.)", NSLocalizedDescription=A connection failure occurred}
The server does not support TLS, only SSLv3. Tracing the SSL handshake in Wireshark, I can see the client is requesting TLS1.0 but the server does not support. The client never 'falls back' to SSLv3 and the connection dies with the above error.
I'm not certain if this is a problem w/ ASIHTTP, as it does not appear to handle the SSL Negotiation (CFStream).
Setting kCFStreamSSLLevel to kCFStreamSocketSecurityLevelSSLv3 resolves the issue for me.
Fix
I've added a property to ASIHTTPRequest so we can specify the SSL security level to use.
Note: I'm new to Objective-C, I could have messed something up...but it works for me.
ASIHTTPRequest.h(365):
ASIHTTPRequest.h(952):
ASIHTTPRequest.m(1146):
ASIHTTPRequest.m(4546):
Example