如何:排查 iOS 和 macOS TLS/SSL 的 MSAL 问题How to: Troubleshoot MSAL for iOS and macOS TLS/SSL issues

本文介绍如何排查使用用于 iOS 和 macOS 的 Microsoft Authentication 库 (MSAL) 时可能会遇到的问题This article provides information to help you troubleshoot issues that you may come across while using the Microsoft Authentication Library (MSAL) for iOS and macOS

网络问题Network issues

错误 -1200:“出现 SSL 错误,无法安全地连接到服务器。”Error -1200: "An SSL error has occurred and a secure connection to the server can't be made."

此错误意味着连接不安全。This error means that the connection isn't secure. 证书无效时会发生此错误。It occurs when a certificate is invalid. 有关详细信息(包括哪个服务器没有通过 TLS 检查),请参考错误对象的 userInfo 字典中的 NSURLErrorFailingURLErrorKeyFor more information, including which server is failing the TLS check, refer to NSURLErrorFailingURLErrorKey in the userInfo dictionary of the error object.

此错误来自 Apple 的网络库。This error is from Apple's networking library. NSURL 错误代码的完整列表位于 macOS 和 iOS 的 SDK 的 NSURLError.h 中。A full list of NSURL error codes is in NSURLError.h in the macOS and iOS SDKs. 有关此错误的更多详细信息,请参阅 URL Loading System Error Codes(URL 加载系统错误代码)。For more details about this error, see URL Loading System Error Codes.

证书问题Certificate issues

如果提供无效证书的 URL 连接到你要在身份验证流中使用的服务器,则在诊断问题时,可以先使用 SSL 验证服务(如 SSL 服务器测试)测试该 URL。If the URL providing an invalid certificate connects to the server that you intend to use as part of the authentication flow, a good start to diagnosing the problem is to test the URL with an SSL validation service such as SSL Server Test. 它会针对一系列广泛的方案和浏览器测试服务器,并针对许多已知漏洞进行检查。It tests the server against a wide array of scenarios and browsers and checks for many known vulnerabilities.

默认情况下,Apple 的新应用传输安全性 (ATS) 功能会将更严格的安全策略应用到使用 TLS/SSL 证书的应用。By default, Apple's new App Transport Security (ATS) feature applies more stringent security policies to apps that use TLS/SSL certificates. 某些操作系统和 Web 浏览器已开始在默认情况下强制实施这些策略中的一部分。Some operating systems and web browsers have started enforcing some of these policies by default. 出于安全原因,我们建议不要禁用 ATS。For security reasons, we recommend you not disable ATS.

使用 SHA-1 哈希的证书存在已知的漏洞。Certificates using SHA-1 hashes have known vulnerabilities. 大多数新式 Web 浏览器不允许使用 SHA-1 哈希的证书。Most modern web browsers don't allow certificates with SHA-1 hashes.

强制网络门户Captive portals

当用户首次访问某个 Wi-Fi 网络且尚未被授予该网络的访问权限时,强制网络门户会向该用户提供一个网页。A captive portal presents a web page to a user when they first access a Wi-Fi network and haven't yet been granted access to that network. 它会截获用户的 Internet 流量,直至用户满足门户的要求。It intercepts their internet traffic until the user satisfies the requirements of the portal. 在用户通过门户进行连接之前,预期会出现网络错误(因为用户不能连接到网络资源)。Network errors because the user can't connect to network resources are expected until the user connects through the portal.

后续步骤Next steps

了解强制网络门户和 Apple 的新应用传输安全性 (ATS) 功能。Learn about captive portals and Apple's new App Transport Security (ATS) feature.