iOS 允许自签名证书

·  阅读 3259

有几次在实现 iOS 应用时,需要访问用自签名证书搭建的网站,默认情况下,这类请求苹果(Apple ATS)是不允许的,下面介绍几种解决的方案(代码见本文最后demo)。

Apple ATS(App Transport Security)是苹果公司在 iOS 9 和 Mac OS X 10.11(El Capitan)中推出的一个新的安全标准,苹果公司在WWDC 2016宣布,所有iOS应用将需要使用“ATS”特性,强制使用HTTPS传输。ATS要求满足三点:前向安全(Forward Secrecy)的加密密码本、使用最新的 TLS1.2 安全协议、SHA256 以上的证书签名算法。

什么是前向安全?

引用维基百科里的解释:

在密码学中,前向保密(英语:Forward Secrecy,FS),有时也被称为完全前向保密(英语:Perfect Forward Secrecy,PFS)[1],是密码学中通讯协议的安全属性,指的是长期使用的主密钥泄漏不会导致过去的会话密钥泄漏。[2]前向保密能够保护过去进行的通讯不受密码或密钥在未来暴露的威胁。[3]如果系统具有前向保密性,就可以保证在私钥泄露时历史通讯的安全,即使系统遭到主动攻击也是如此。

在传输层安全协议(TLS)中,提供了基于临时迪菲-赫尔曼密钥交换(DHE)的前向安全通讯,分别为DHE-RSA、DHE-DSA和DHE-ECDSA;还有基于椭圆曲线迪菲-赫尔曼密钥交换(ECDHE)的前向安全通讯,包括ECDHE-RSA与ECDHE-ECDSA。理论上,从SSLv3开始,就已经可以使用支持前向安全的密码算法进行通讯。

检查网站是否支持安全特性

这里通过curl命令访问百度网站:

$ curl https://www.baidu.com/ -v
复制代码

返回结果为:

*   Trying 61.135.169.125...
* TCP_NODELAY set
* Connected to www.baidu.com (61.135.169.125) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256  <-- 协商算法
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=CN; ST=beijing; L=beijing; OU=service operation department; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com
*  start date: Apr  2 07:04:58 2020 GMT
*  expire date: Jul 26 05:31:02 2021 GMT
*  subjectAltName: host "www.baidu.com" matched cert's "*.baidu.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - SHA256 - G2
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
< Content-Length: 2443
< Content-Type: text/html
< Date: Thu, 13 Aug 2020 06:49:14 GMT
< Etag: "588603e6-98b"
< Last-Modified: Mon, 23 Jan 2017 13:23:50 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
< Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
< html 正文内容...
复制代码

从返回结果可以看到本次连接是满足 ATS 要求的:

  • 前向安全要求:ECDHE-RSA
  • 安全协议:TLSv1.2
  • 证书签名算法:SHA256

所以百度是可以随便在iOS应用中访问的,不管是WebView还是网络组件。

自签名网站

下面我尝试访问默认被限制的使用自签名证书的网站:

$ curl https://self-signed.badssl.com/ -v
复制代码

返回结果为:

*   Trying 104.154.89.105...
* TCP_NODELAY set
* Connected to self-signed.badssl.com (104.154.89.105) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
复制代码

连接由于证书链不可信原因最后关闭了,并没有请求到html内容,关闭原因可以看到:curl: (60) SSL certificate problem: self signed certificate。不过对于curl,可以通过添加参数的方式允许访问:

$ curl https://self-signed.badssl.com/ -v -k

*   Trying 104.154.89.105...
* TCP_NODELAY set
* Connected to self-signed.badssl.com (104.154.89.105) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=BadSSL; CN=*.badssl.com
*  start date: Oct  9 23:41:52 2019 GMT
*  expire date: Oct  8 23:41:52 2021 GMT
*  issuer: C=US; ST=California; L=San Francisco; O=BadSSL; CN=*.badssl.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: self-signed.badssl.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Thu, 13 Aug 2020 06:37:51 GMT
< Content-Type: text/html
< Content-Length: 502
< Last-Modified: Tue, 24 Mar 2020 00:15:54 GMT
< Connection: keep-alive
< ETag: "5e79513a-1f6"
< Cache-Control: no-store
< Accept-Ranges: bytes
< html 正文内容...
复制代码

参数 -k--insecure 表示允许不安全的服务器连接(Allow insecure server connections when using SSL)。

这就是本文的目的,为ATS的默认限制添加例外,从而允许应用访问使用自签名证书的网站

iOS 访问自签名证书错误

下面我来测试一下ATS默认的限制,通过 NSURLConnection 访问:

// 1.请求路径
NSURL *url = [NSURL URLWithString:@"https://self-signed.badssl.com/"];

// 2.创建请求对象
request = [NSURLRequest requestWithURL:url];

// 3.发送请求
[[NSURLConnection alloc] initWithRequest:request delegate:self];
复制代码

在 xcode 控制台看到请求没有成功,返回的错误为:

[0808/140237.183746:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
2020-08-08 14:02:37.186292+0800 CronetTest[13100:13863742] NSURLConnection finished with error - code -999
复制代码

解决方法汇总

NSURLConnection

通过代理类 NSURLConnectionDelegate 的方法 - (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge 允许自签名证书:

@interface URLConnectionViewController ()<NSURLConnectionDelegate>{
    NSURLRequest *request;
    NSMutableData *receivedData;
    NSURLConnection *connection;
    NSURL *url;
}
@end

@implementation URLConnectionViewController
- (void)reloadRequest {
    // 1.请求路径
    NSURL *url = [NSURL URLWithString:@"https://self-signed.badssl.com/"];
    // 2.创建请求对象
    request = [NSURLRequest requestWithURL:url];
    // 3.发送请求
    connection = [[NSURLConnection alloc] initWithRequest:request delegate:self];
}


- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge{
    NSLog(@"接收挑战响应 %@ %zd", [[challenge protectionSpace] authenticationMethod], (ssize_t) [challenge previousFailureCount]);
    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]){
        [[challenge sender]  useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
        [[challenge sender]  continueWithoutCredentialForAuthenticationChallenge: challenge];
    }
}
复制代码

在方法willSendRequestForAuthenticationChallenge中,会检查 authenticationMethod 方法,如果是服务器信任验证NSURLAuthenticationMethodServerTrust,并且匹配允许的例外域名则,调用continueWithoutCredentialForAuthenticationChallenge,达到允许请求的目的。

详细 authenticationMethod 说明请参考这里

这个方法必须调用下列“挑战响应”的方法之一:

  • useCredential:forAuthenticationChallenge:
  • continueWithoutCredentialForAuthenticationChallenge:
  • cancelAuthenticationChallenge:
  • performDefaultHandlingForAuthenticationChallenge:
  • rejectProtectionSpaceAndContinueWithChallenge:

当使用willSendRequestForAuthenticationChallenge,就不用再使用旧的方法 connection:canAuthenticateAgainstProtectionSpace:connection:didReceiveAuthenticationChallenge:,况且这两个方法在新的系统中也不会被调用了。

NSURLSession

NSURLSession 类似,通过代理类 NSURLSessionDelegate 的方法 -(void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler 放开。

- (void)reloadRequest {
    // 1.请求路径
    NSURL *url = [NSURL URLWithString:@"https://self-signed.badssl.com/"]; 
    // 2.创建请求对象
    request = [NSURLRequest requestWithURL:url];
    // 3.异步发送请求
    NSURLSessionConfiguration *sessionConfiguration = [NSURLSessionConfiguration defaultSessionConfiguration];
    NSURLSession *session = [NSURLSession sessionWithConfiguration:sessionConfiguration delegate:self delegateQueue:Nil];

    NSURLSessionDataTask *task = [session dataTaskWithRequest:request completionHandler:^(NSData *data,NSURLResponse *response,NSError *error){
        NSString *html = [[NSString alloc]initWithData:data encoding:NSUTF8StringEncoding];     
        dispatch_async(dispatch_get_main_queue(), ^{
            NSLog(@"Response:%@",html);
        });
    }];
    [task resume];
}

- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler{
  if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]){
      if([challenge.protectionSpace.host isEqualToString: [request URL].host ]) {   
          NSURLCredential *credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
          completionHandler(NSURLSessionAuthChallengeUseCredential,credential);
      }
  }
}
复制代码

UIWebView

UIWebView 的代理类 UIWebViewDelegate 没有验证相关的代理方法,一种解决方法是调用私有的方法,但是对上架商店有影响,另外一种解决方案是通过 NSURLConnectionDelegate 代理方法来变向实现。这个流程是这样的:

  1. 通过 UIWebView 调用 loadRequest 尝试访问;
  2. UIWebView 代理方法 shouldStartLoadWithRequest 中取消请求,转而创建一个 NSURLConnection 来进行同一请求;
  3. NSURLConnection 代理方法 willSendRequestForAuthenticationChallenge 中允许指定域名的证书验证;
  4. NSURLConnection 代理方法 didReceiveResponse 中取消请求,然后调用 UIWebView 重新执行 loadRequest

这是因为 UIWebView 底层是和 NSURLConnection 用一套网络套件,所以当 NSURLConnection 验证通过后,也会影响 UIWebView 不再被限制。但是我尝试通过 NSURLSession 来达到同样的目的,结果不行,应该是它和 UIWebView 并不用一套机制。

-(BOOL)webView:(UIWebView *)webView shouldStartLoadWithRequest:(NSURLRequest *)request navigationType:(UIWebViewNavigationType)navigationType {
    BOOL result = _Authenticated;
    if (!_Authenticated) {
        _FailedRequest = request;
        [[NSURLConnection alloc] initWithRequest:request delegate:self];
    }
    return result;
}

-(void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
    NSLog(@"didReceiveAuthenticationChallenge %@ %zd", [[challenge protectionSpace] authenticationMethod], (ssize_t) [challenge previousFailureCount]);
    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]){
        [[challenge sender]  useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
        [[challenge sender]  continueWithoutCredentialForAuthenticationChallenge: challenge];
    }
}

-(void)connection:(NSURLConnection *)connection didReceiveResponse:(NSURLResponse *)pResponse {
    _Authenticated = YES;
    [connection cancel];
    [_myWebView loadRequest:_FailedRequest];
}
复制代码

WKWebView

WKWebView 代理类 WKNavigationDelegate 中提供了验证挑战的方法,可以直接使用。

- (void)webView:(WKWebView *)webView didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * _Nullable credential))completionHandler
{
    NSLog(@"didReceiveAuthenticationChallenge %@ %zd", [[challenge protectionSpace] authenticationMethod], (ssize_t) [challenge previousFailureCount]);
    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
        NSURLCredential * credential = [[NSURLCredential alloc] initWithTrust:[challenge protectionSpace].serverTrust];
        completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
    }
}
复制代码

修改ATS默认配置

除了添加上面的代码,还需要同时修改项目配置。打开 info.plist,添加 NSAppTransportSecurity 配置:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>self-signed.badssl.com</key>
    <dict>
      <key>NSIncludesSubdomains</key>
      <true/>
      <key>NSExceptionRequiresForwardSecrecy</key>
      <false/>
      <key>NSExceptionAllowsInsecureHTTPLoads</key>
      <true/>
    </dict>
  </dict>
  <key>NSAllowsArbitraryLoadsInWebContent</key>
  <true/>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>
复制代码

两个全局配置:

  • NSAllowsArbitraryLoads:允许加载不安全连接
  • NSAllowsArbitraryLoadsInWebContent:允许在 Web Content 中加载不安全连接

或者通过例外域名单独配置,例外域名中的配置值优先级更高,不受上面的全局配置影响

  • NSIncludesSubdomains:包含所有子域名
  • NSExceptionRequiresForwardSecrecy:要求前向安全检查
  • NSExceptionAllowsInsecureHTTPLoads:允许不安全的HTTP连接

附录

附录一:iOS NSURLErrorDomain

NS_ERROR_ENUM(NSURLErrorDomain)
{
    NSURLErrorUnknown =       -1,
    NSURLErrorCancelled =       -999,
    NSURLErrorBadURL =        -1000,
    NSURLErrorTimedOut =      -1001,
    NSURLErrorUnsupportedURL =      -1002,
    NSURLErrorCannotFindHost =      -1003,
    NSURLErrorCannotConnectToHost =     -1004,
    NSURLErrorNetworkConnectionLost =     -1005,
    NSURLErrorDNSLookupFailed =     -1006,
    NSURLErrorHTTPTooManyRedirects =    -1007,
    NSURLErrorResourceUnavailable =     -1008,
    NSURLErrorNotConnectedToInternet =    -1009,
    NSURLErrorRedirectToNonExistentLocation =   -1010,
    NSURLErrorBadServerResponse =     -1011,
    NSURLErrorUserCancelledAuthentication =   -1012,
    NSURLErrorUserAuthenticationRequired =  -1013,
    NSURLErrorZeroByteResource =    -1014,
    NSURLErrorCannotDecodeRawData =             -1015,
    NSURLErrorCannotDecodeContentData =         -1016,
    NSURLErrorCannotParseResponse =             -1017,
    NSURLErrorAppTransportSecurityRequiresSecureConnection API_AVAILABLE(macos(10.11), ios(9.0), watchos(2.0), tvos(9.0)) = -1022,
    NSURLErrorFileDoesNotExist =    -1100,
    NSURLErrorFileIsDirectory =     -1101,
    NSURLErrorNoPermissionsToReadFile =   -1102,
    NSURLErrorDataLengthExceedsMaximum API_AVAILABLE(macos(10.5), ios(2.0), watchos(2.0), tvos(9.0)) =  -1103,
    NSURLErrorFileOutsideSafeArea API_AVAILABLE(macos(10.12.4), ios(10.3), watchos(3.2), tvos(10.2)) = -1104,
    
    // SSL errors
    NSURLErrorSecureConnectionFailed =    -1200,
    NSURLErrorServerCertificateHasBadDate =   -1201,
    NSURLErrorServerCertificateUntrusted =  -1202,
    NSURLErrorServerCertificateHasUnknownRoot = -1203,
    NSURLErrorServerCertificateNotYetValid =  -1204,
    NSURLErrorClientCertificateRejected =   -1205,
    NSURLErrorClientCertificateRequired = -1206,
    NSURLErrorCannotLoadFromNetwork =     -2000,
    
    // Download and file I/O errors
    NSURLErrorCannotCreateFile =    -3000,
    NSURLErrorCannotOpenFile =      -3001,
    NSURLErrorCannotCloseFile =     -3002,
    NSURLErrorCannotWriteToFile =     -3003,
    NSURLErrorCannotRemoveFile =    -3004,
    NSURLErrorCannotMoveFile =      -3005,
    NSURLErrorDownloadDecodingFailedMidStream = -3006,
    NSURLErrorDownloadDecodingFailedToComplete =-3007,

    NSURLErrorInternationalRoamingOff API_AVAILABLE(macos(10.7), ios(3.0), watchos(2.0), tvos(9.0)) =         -1018,
    NSURLErrorCallIsActive API_AVAILABLE(macos(10.7), ios(3.0), watchos(2.0), tvos(9.0)) =                    -1019,
    NSURLErrorDataNotAllowed API_AVAILABLE(macos(10.7), ios(3.0), watchos(2.0), tvos(9.0)) =                  -1020,
    NSURLErrorRequestBodyStreamExhausted API_AVAILABLE(macos(10.7), ios(3.0), watchos(2.0), tvos(9.0)) =      -1021,
    
    NSURLErrorBackgroundSessionRequiresSharedContainer API_AVAILABLE(macos(10.10), ios(8.0), watchos(2.0), tvos(9.0)) = -995,
    NSURLErrorBackgroundSessionInUseByAnotherProcess API_AVAILABLE(macos(10.10), ios(8.0), watchos(2.0), tvos(9.0)) = -996,
    NSURLErrorBackgroundSessionWasDisconnected API_AVAILABLE(macos(10.10), ios(8.0), watchos(2.0), tvos(9.0))= -997,
};
复制代码

附录二:Chromium 网络错误

Chomium 源代码

// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// This file intentionally does not have header guards, it's included
// inside a macro to generate enum values. The following line silences a
// presubmit and Tricium warning that would otherwise be triggered by this:
// no-include-guard-because-multiply-included
// NOLINT(build/header_guard)
// This file contains the list of network errors.
//
// Ranges:
//     0- 99 System related errors
//   100-199 Connection related errors
//   200-299 Certificate errors
//   300-399 HTTP errors
//   400-499 Cache errors
//   500-599 ?
//   600-699 FTP errors
//   700-799 Certificate manager errors
//   800-899 DNS resolver errors
// An asynchronous IO operation is not yet complete.  This usually does not
// indicate a fatal error.  Typically this error will be generated as a
// notification to wait for some external notification that the IO operation
// finally completed.
NET_ERROR(IO_PENDING, -1)
// A generic failure occurred.
NET_ERROR(FAILED, -2)
// An operation was aborted (due to user action).
NET_ERROR(ABORTED, -3)
// An argument to the function is incorrect.
NET_ERROR(INVALID_ARGUMENT, -4)
// The handle or file descriptor is invalid.
NET_ERROR(INVALID_HANDLE, -5)
// The file or directory cannot be found.
NET_ERROR(FILE_NOT_FOUND, -6)
// An operation timed out.
NET_ERROR(TIMED_OUT, -7)
// The file is too large.
NET_ERROR(FILE_TOO_BIG, -8)
// An unexpected error.  This may be caused by a programming mistake or an
// invalid assumption.
NET_ERROR(UNEXPECTED, -9)
// Permission to access a resource, other than the network, was denied.
NET_ERROR(ACCESS_DENIED, -10)
// The operation failed because of unimplemented functionality.
NET_ERROR(NOT_IMPLEMENTED, -11)
// There were not enough resources to complete the operation.
NET_ERROR(INSUFFICIENT_RESOURCES, -12)
// Memory allocation failed.
NET_ERROR(OUT_OF_MEMORY, -13)
// The file upload failed because the file's modification time was different
// from the expectation.
NET_ERROR(UPLOAD_FILE_CHANGED, -14)
// The socket is not connected.
NET_ERROR(SOCKET_NOT_CONNECTED, -15)
// The file already exists.
NET_ERROR(FILE_EXISTS, -16)
// The path or file name is too long.
NET_ERROR(FILE_PATH_TOO_LONG, -17)
// Not enough room left on the disk.
NET_ERROR(FILE_NO_SPACE, -18)
// The file has a virus.
NET_ERROR(FILE_VIRUS_INFECTED, -19)
// The client chose to block the request.
NET_ERROR(BLOCKED_BY_CLIENT, -20)
// The network changed.
NET_ERROR(NETWORK_CHANGED, -21)
// The request was blocked by the URL block list configured by the domain
// administrator.
NET_ERROR(BLOCKED_BY_ADMINISTRATOR, -22)
// The socket is already connected.
NET_ERROR(SOCKET_IS_CONNECTED, -23)
// The request was blocked because the forced reenrollment check is still
// pending. This error can only occur on ChromeOS.
// The error can be emitted by code in chrome/browser/policy/policy_helpers.cc.
NET_ERROR(BLOCKED_ENROLLMENT_CHECK_PENDING, -24)
// The upload failed because the upload stream needed to be re-read, due to a
// retry or a redirect, but the upload stream doesn't support that operation.
NET_ERROR(UPLOAD_STREAM_REWIND_NOT_SUPPORTED, -25)
// The request failed because the URLRequestContext is shutting down, or has
// been shut down.
NET_ERROR(CONTEXT_SHUT_DOWN, -26)
// The request failed because the response was delivered along with requirements
// which are not met ('X-Frame-Options' and 'Content-Security-Policy' ancestor
// checks and 'Cross-Origin-Resource-Policy', for instance).
NET_ERROR(BLOCKED_BY_RESPONSE, -27)
// Error -28 was removed (BLOCKED_BY_XSS_AUDITOR).
// The request was blocked by system policy disallowing some or all cleartext
// requests. Used for NetworkSecurityPolicy on Android.
NET_ERROR(CLEARTEXT_NOT_PERMITTED, -29)
// The request was blocked by a Content Security Policy
NET_ERROR(BLOCKED_BY_CSP, -30)
// The request was blocked because of no H/2 or QUIC session.
NET_ERROR(H2_OR_QUIC_REQUIRED, -31)
// The request was blocked because it is a private network request coming from
// an insecure context in a less private IP address space. This is used to
// enforce CORS-RFC1918: https://wicg.github.io/cors-rfc1918.
NET_ERROR(INSECURE_PRIVATE_NETWORK_REQUEST, -32)
// A connection was closed (corresponding to a TCP FIN).
NET_ERROR(CONNECTION_CLOSED, -100)
// A connection was reset (corresponding to a TCP RST).
NET_ERROR(CONNECTION_RESET, -101)
// A connection attempt was refused.
NET_ERROR(CONNECTION_REFUSED, -102)
// A connection timed out as a result of not receiving an ACK for data sent.
// This can include a FIN packet that did not get ACK'd.
NET_ERROR(CONNECTION_ABORTED, -103)
// A connection attempt failed.
NET_ERROR(CONNECTION_FAILED, -104)
// The host name could not be resolved.
NET_ERROR(NAME_NOT_RESOLVED, -105)
// The Internet connection has been lost.
NET_ERROR(INTERNET_DISCONNECTED, -106)
// An SSL protocol error occurred.
NET_ERROR(SSL_PROTOCOL_ERROR, -107)
// The IP address or port number is invalid (e.g., cannot connect to the IP
// address 0 or the port 0).
NET_ERROR(ADDRESS_INVALID, -108)
// The IP address is unreachable.  This usually means that there is no route to
// the specified host or network.
NET_ERROR(ADDRESS_UNREACHABLE, -109)
// The server requested a client certificate for SSL client authentication.
NET_ERROR(SSL_CLIENT_AUTH_CERT_NEEDED, -110)
// A tunnel connection through the proxy could not be established.
NET_ERROR(TUNNEL_CONNECTION_FAILED, -111)
// No SSL protocol versions are enabled.
NET_ERROR(NO_SSL_VERSIONS_ENABLED, -112)
// The client and server don't support a common SSL protocol version or
// cipher suite.
NET_ERROR(SSL_VERSION_OR_CIPHER_MISMATCH, -113)
// The server requested a renegotiation (rehandshake).
NET_ERROR(SSL_RENEGOTIATION_REQUESTED, -114)
// The proxy requested authentication (for tunnel establishment) with an
// unsupported method.
NET_ERROR(PROXY_AUTH_UNSUPPORTED, -115)
// During SSL renegotiation (rehandshake), the server sent a certificate with
// an error.
//
// Note: this error is not in the -2xx range so that it won't be handled as a
// certificate error.
NET_ERROR(CERT_ERROR_IN_SSL_RENEGOTIATION, -116)
// The SSL handshake failed because of a bad or missing client certificate.
NET_ERROR(BAD_SSL_CLIENT_AUTH_CERT, -117)
// A connection attempt timed out.
NET_ERROR(CONNECTION_TIMED_OUT, -118)
// There are too many pending DNS resolves, so a request in the queue was
// aborted.
NET_ERROR(HOST_RESOLVER_QUEUE_TOO_LARGE, -119)
// Failed establishing a connection to the SOCKS proxy server for a target host.
NET_ERROR(SOCKS_CONNECTION_FAILED, -120)
// The SOCKS proxy server failed establishing connection to the target host
// because that host is unreachable.
NET_ERROR(SOCKS_CONNECTION_HOST_UNREACHABLE, -121)
// The request to negotiate an alternate protocol failed.
NET_ERROR(ALPN_NEGOTIATION_FAILED, -122)
// The peer sent an SSL no_renegotiation alert message.
NET_ERROR(SSL_NO_RENEGOTIATION, -123)
// Winsock sometimes reports more data written than passed.  This is probably
// due to a broken LSP.
NET_ERROR(WINSOCK_UNEXPECTED_WRITTEN_BYTES, -124)
// An SSL peer sent us a fatal decompression_failure alert. This typically
// occurs when a peer selects DEFLATE compression in the mistaken belief that
// it supports it.
NET_ERROR(SSL_DECOMPRESSION_FAILURE_ALERT, -125)
// An SSL peer sent us a fatal bad_record_mac alert. This has been observed
// from servers with buggy DEFLATE support.
NET_ERROR(SSL_BAD_RECORD_MAC_ALERT, -126)
// The proxy requested authentication (for tunnel establishment).
NET_ERROR(PROXY_AUTH_REQUESTED, -127)
// Error -129 was removed (SSL_WEAK_SERVER_EPHEMERAL_DH_KEY).
// Could not create a connection to the proxy server. An error occurred
// either in resolving its name, or in connecting a socket to it.
// Note that this does NOT include failures during the actual "CONNECT" method
// of an HTTP proxy.
NET_ERROR(PROXY_CONNECTION_FAILED, -130)
// A mandatory proxy configuration could not be used. Currently this means
// that a mandatory PAC script could not be fetched, parsed or executed.
NET_ERROR(MANDATORY_PROXY_CONFIGURATION_FAILED, -131)
// -132 was formerly ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION
// We've hit the max socket limit for the socket pool while preconnecting.  We
// don't bother trying to preconnect more sockets.
NET_ERROR(PRECONNECT_MAX_SOCKET_LIMIT, -133)
// The permission to use the SSL client certificate's private key was denied.
NET_ERROR(SSL_CLIENT_AUTH_PRIVATE_KEY_ACCESS_DENIED, -134)
// The SSL client certificate has no private key.
NET_ERROR(SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY, -135)
// The certificate presented by the HTTPS Proxy was invalid.
NET_ERROR(PROXY_CERTIFICATE_INVALID, -136)
// An error occurred when trying to do a name resolution (DNS).
NET_ERROR(NAME_RESOLUTION_FAILED, -137)
// Permission to access the network was denied. This is used to distinguish
// errors that were most likely caused by a firewall from other access denied
// errors. See also ERR_ACCESS_DENIED.
NET_ERROR(NETWORK_ACCESS_DENIED, -138)
// The request throttler module cancelled this request to avoid DDOS.
NET_ERROR(TEMPORARILY_THROTTLED, -139)
// A request to create an SSL tunnel connection through the HTTPS proxy
// received a 302 (temporary redirect) response.  The response body might
// include a description of why the request failed.
//
// TODO(https://crbug.com/928551): This is deprecated and should not be used by
// new code.
NET_ERROR(HTTPS_PROXY_TUNNEL_RESPONSE_REDIRECT, -140)
// We were unable to sign the CertificateVerify data of an SSL client auth
// handshake with the client certificate's private key.
//
// Possible causes for this include the user implicitly or explicitly
// denying access to the private key, the private key may not be valid for
// signing, the key may be relying on a cached handle which is no longer
// valid, or the CSP won't allow arbitrary data to be signed.
NET_ERROR(SSL_CLIENT_AUTH_SIGNATURE_FAILED, -141)
// The message was too large for the transport.  (for example a UDP message
// which exceeds size threshold).
NET_ERROR(MSG_TOO_BIG, -142)
// Error -143 was removed (SPDY_SESSION_ALREADY_EXISTS)
// Error -144 was removed (LIMIT_VIOLATION).
// Websocket protocol error. Indicates that we are terminating the connection
// due to a malformed frame or other protocol violation.
NET_ERROR(WS_PROTOCOL_ERROR, -145)
// Error -146 was removed (PROTOCOL_SWITCHED)
// Returned when attempting to bind an address that is already in use.
NET_ERROR(ADDRESS_IN_USE, -147)
// An operation failed because the SSL handshake has not completed.
NET_ERROR(SSL_HANDSHAKE_NOT_COMPLETED, -148)
// SSL peer's public key is invalid.
NET_ERROR(SSL_BAD_PEER_PUBLIC_KEY, -149)
// The certificate didn't match the built-in public key pins for the host name.
// The pins are set in net/http/transport_security_state.cc and require that
// one of a set of public keys exist on the path from the leaf to the root.
NET_ERROR(SSL_PINNED_KEY_NOT_IN_CERT_CHAIN, -150)
// Server request for client certificate did not contain any types we support.
NET_ERROR(CLIENT_AUTH_CERT_TYPE_UNSUPPORTED, -151)
// Error -152 was removed (ORIGIN_BOUND_CERT_GENERATION_TYPE_MISMATCH)
// An SSL peer sent us a fatal decrypt_error alert. This typically occurs when
// a peer could not correctly verify a signature (in CertificateVerify or
// ServerKeyExchange) or validate a Finished message.
NET_ERROR(SSL_DECRYPT_ERROR_ALERT, -153)
// There are too many pending WebSocketJob instances, so the new job was not
// pushed to the queue.
NET_ERROR(WS_THROTTLE_QUEUE_TOO_LARGE, -154)
// Error -155 was removed (TOO_MANY_SOCKET_STREAMS)
// The SSL server certificate changed in a renegotiation.
NET_ERROR(SSL_SERVER_CERT_CHANGED, -156)
// Error -157 was removed (SSL_INAPPROPRIATE_FALLBACK).
// Error -158 was removed (CT_NO_SCTS_VERIFIED_OK).
// The SSL server sent us a fatal unrecognized_name alert.
NET_ERROR(SSL_UNRECOGNIZED_NAME_ALERT, -159)
// Failed to set the socket's receive buffer size as requested.
NET_ERROR(SOCKET_SET_RECEIVE_BUFFER_SIZE_ERROR, -160)
// Failed to set the socket's send buffer size as requested.
NET_ERROR(SOCKET_SET_SEND_BUFFER_SIZE_ERROR, -161)
// Failed to set the socket's receive buffer size as requested, despite success
// return code from setsockopt.
NET_ERROR(SOCKET_RECEIVE_BUFFER_SIZE_UNCHANGEABLE, -162)
// Failed to set the socket's send buffer size as requested, despite success
// return code from setsockopt.
NET_ERROR(SOCKET_SEND_BUFFER_SIZE_UNCHANGEABLE, -163)
// Failed to import a client certificate from the platform store into the SSL
// library.
NET_ERROR(SSL_CLIENT_AUTH_CERT_BAD_FORMAT, -164)
// Error -165 was removed (SSL_FALLBACK_BEYOND_MINIMUM_VERSION).
// Resolving a hostname to an IP address list included the IPv4 address
// "127.0.53.53". This is a special IP address which ICANN has recommended to
// indicate there was a name collision, and alert admins to a potential
// problem.
NET_ERROR(ICANN_NAME_COLLISION, -166)
// The SSL server presented a certificate which could not be decoded. This is
// not a certificate error code as no X509Certificate object is available. This
// error is fatal.
NET_ERROR(SSL_SERVER_CERT_BAD_FORMAT, -167)
// Certificate Transparency: Received a signed tree head that failed to parse.
NET_ERROR(CT_STH_PARSING_FAILED, -168)
// Certificate Transparency: Received a signed tree head whose JSON parsing was
// OK but was missing some of the fields.
NET_ERROR(CT_STH_INCOMPLETE, -169)
// The attempt to reuse a connection to send proxy auth credentials failed
// before the AuthController was used to generate credentials. The caller should
// reuse the controller with a new connection. This error is only used
// internally by the network stack.
NET_ERROR(UNABLE_TO_REUSE_CONNECTION_FOR_PROXY_AUTH, -170)
// Certificate Transparency: Failed to parse the received consistency proof.
NET_ERROR(CT_CONSISTENCY_PROOF_PARSING_FAILED, -171)
// The SSL server required an unsupported cipher suite that has since been
// removed. This error will temporarily be signaled on a fallback for one or two
// releases immediately following a cipher suite's removal, after which the
// fallback will be removed.
NET_ERROR(SSL_OBSOLETE_CIPHER, -172)
// When a WebSocket handshake is done successfully and the connection has been
// upgraded, the URLRequest is cancelled with this error code.
NET_ERROR(WS_UPGRADE, -173)
// Socket ReadIfReady support is not implemented. This error should not be user
// visible, because the normal Read() method is used as a fallback.
NET_ERROR(READ_IF_READY_NOT_IMPLEMENTED, -174)
// Error -175 was removed (SSL_VERSION_INTERFERENCE).
// No socket buffer space is available.
NET_ERROR(NO_BUFFER_SPACE, -176)
// There were no common signature algorithms between our client certificate
// private key and the server's preferences.
NET_ERROR(SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS, -177)
// TLS 1.3 early data was rejected by the server. This will be received before
// any data is returned from the socket. The request should be retried with
// early data disabled.
NET_ERROR(EARLY_DATA_REJECTED, -178)
// TLS 1.3 early data was offered, but the server responded with TLS 1.2 or
// earlier. This is an internal error code to account for a
// backwards-compatibility issue with early data and TLS 1.2. It will be
// received before any data is returned from the socket. The request should be
// retried with early data disabled.
//
// See https://tools.ietf.org/html/rfc8446#appendix-D.3 for details.
NET_ERROR(WRONG_VERSION_ON_EARLY_DATA, -179)
// TLS 1.3 was enabled, but a lower version was negotiated and the server
// returned a value indicating it supported TLS 1.3. This is part of a security
// check in TLS 1.3, but it may also indicate the user is behind a buggy
// TLS-terminating proxy which implemented TLS 1.2 incorrectly. (See
// https://crbug.com/boringssl/226.)
NET_ERROR(TLS13_DOWNGRADE_DETECTED, -180)
// The server's certificate has a keyUsage extension incompatible with the
// negotiated TLS key exchange method.
NET_ERROR(SSL_KEY_USAGE_INCOMPATIBLE, -181)
// Certificate error codes
//
// The values of certificate error codes must be consecutive.
// The server responded with a certificate whose common name did not match
// the host name.  This could mean:
//
// 1. An attacker has redirected our traffic to their server and is
//    presenting a certificate for which they know the private key.
//
// 2. The server is misconfigured and responding with the wrong cert.
//
// 3. The user is on a wireless network and is being redirected to the
//    network's login page.
//
// 4. The OS has used a DNS search suffix and the server doesn't have
//    a certificate for the abbreviated name in the address bar.
//
NET_ERROR(CERT_COMMON_NAME_INVALID, -200)
// The server responded with a certificate that, by our clock, appears to
// either not yet be valid or to have expired.  This could mean:
//
// 1. An attacker is presenting an old certificate for which they have
//    managed to obtain the private key.
//
// 2. The server is misconfigured and is not presenting a valid cert.
//
// 3. Our clock is wrong.
//
NET_ERROR(CERT_DATE_INVALID, -201)
// The server responded with a certificate that is signed by an authority
// we don't trust.  The could mean:
//
// 1. An attacker has substituted the real certificate for a cert that
//    contains their public key and is signed by their cousin.
//
// 2. The server operator has a legitimate certificate from a CA we don't
//    know about, but should trust.
//
// 3. The server is presenting a self-signed certificate, providing no
//    defense against active attackers (but foiling passive attackers).
//
NET_ERROR(CERT_AUTHORITY_INVALID, -202)
// The server responded with a certificate that contains errors.
// This error is not recoverable.
//
// MSDN describes this error as follows:
//   "The SSL certificate contains errors."
// NOTE: It's unclear how this differs from ERR_CERT_INVALID. For consistency,
// use that code instead of this one from now on.
//
NET_ERROR(CERT_CONTAINS_ERRORS, -203)
// The certificate has no mechanism for determining if it is revoked.  In
// effect, this certificate cannot be revoked.
NET_ERROR(CERT_NO_REVOCATION_MECHANISM, -204)
// Revocation information for the security certificate for this site is not
// available.  This could mean:
//
// 1. An attacker has compromised the private key in the certificate and is
//    blocking our attempt to find out that the cert was revoked.
//
// 2. The certificate is unrevoked, but the revocation server is busy or
//    unavailable.
//
NET_ERROR(CERT_UNABLE_TO_CHECK_REVOCATION, -205)
// The server responded with a certificate has been revoked.
// We have the capability to ignore this error, but it is probably not the
// thing to do.
NET_ERROR(CERT_REVOKED, -206)
// The server responded with a certificate that is invalid.
// This error is not recoverable.
//
// MSDN describes this error as follows:
//   "The SSL certificate is invalid."
//
NET_ERROR(CERT_INVALID, -207)
// The server responded with a certificate that is signed using a weak
// signature algorithm.
NET_ERROR(CERT_WEAK_SIGNATURE_ALGORITHM, -208)
// -209 is availible: was CERT_NOT_IN_DNS.
// The host name specified in the certificate is not unique.
NET_ERROR(CERT_NON_UNIQUE_NAME, -210)
// The server responded with a certificate that contains a weak key (e.g.
// a too-small RSA key).
NET_ERROR(CERT_WEAK_KEY, -211)
// The certificate claimed DNS names that are in violation of name constraints.
NET_ERROR(CERT_NAME_CONSTRAINT_VIOLATION, -212)
// The certificate's validity period is too long.
NET_ERROR(CERT_VALIDITY_TOO_LONG, -213)
// Certificate Transparency was required for this connection, but the server
// did not provide CT information that complied with the policy.
NET_ERROR(CERTIFICATE_TRANSPARENCY_REQUIRED, -214)
// The certificate chained to a legacy Symantec root that is no longer trusted.
// https://g.co/chrome/symantecpkicerts
NET_ERROR(CERT_SYMANTEC_LEGACY, -215)
// -216 was QUIC_CERT_ROOT_NOT_KNOWN which has been renumbered to not be in the
// certificate error range.
// The certificate is known to be used for interception by an entity other
// the device owner.
NET_ERROR(CERT_KNOWN_INTERCEPTION_BLOCKED, -217)
// The connection uses an obsolete version of SSL/TLS.
NET_ERROR(SSL_OBSOLETE_VERSION, -218)
// Add new certificate error codes here.
//
// Update the value of CERT_END whenever you add a new certificate error
// code.
// The value immediately past the last certificate error code.
NET_ERROR(CERT_END, -219)
// The URL is invalid.
NET_ERROR(INVALID_URL, -300)
// The scheme of the URL is disallowed.
NET_ERROR(DISALLOWED_URL_SCHEME, -301)
// The scheme of the URL is unknown.
NET_ERROR(UNKNOWN_URL_SCHEME, -302)
// Attempting to load an URL resulted in a redirect to an invalid URL.
NET_ERROR(INVALID_REDIRECT, -303)
// Attempting to load an URL resulted in too many redirects.
NET_ERROR(TOO_MANY_REDIRECTS, -310)
// Attempting to load an URL resulted in an unsafe redirect (e.g., a redirect
// to file:// is considered unsafe).
NET_ERROR(UNSAFE_REDIRECT, -311)
// Attempting to load an URL with an unsafe port number.  These are port
// numbers that correspond to services, which are not robust to spurious input
// that may be constructed as a result of an allowed web construct (e.g., HTTP
// looks a lot like SMTP, so form submission to port 25 is denied).
NET_ERROR(UNSAFE_PORT, -312)
// The server's response was invalid.
NET_ERROR(INVALID_RESPONSE, -320)
// Error in chunked transfer encoding.
NET_ERROR(INVALID_CHUNKED_ENCODING, -321)
// The server did not support the request method.
NET_ERROR(METHOD_NOT_SUPPORTED, -322)
// The response was 407 (Proxy Authentication Required), yet we did not send
// the request to a proxy.
NET_ERROR(UNEXPECTED_PROXY_AUTH, -323)
// The server closed the connection without sending any data.
NET_ERROR(EMPTY_RESPONSE, -324)
// The headers section of the response is too large.
NET_ERROR(RESPONSE_HEADERS_TOO_BIG, -325)
// Error -326 was removed (PAC_STATUS_NOT_OK)
// The evaluation of the PAC script failed.
NET_ERROR(PAC_SCRIPT_FAILED, -327)
// The response was 416 (Requested range not satisfiable) and the server cannot
// satisfy the range requested.
NET_ERROR(REQUEST_RANGE_NOT_SATISFIABLE, -328)
// The identity used for authentication is invalid.
NET_ERROR(MALFORMED_IDENTITY, -329)
// Content decoding of the response body failed.
NET_ERROR(CONTENT_DECODING_FAILED, -330)
// An operation could not be completed because all network IO
// is suspended.
NET_ERROR(NETWORK_IO_SUSPENDED, -331)
// FLIP data received without receiving a SYN_REPLY on the stream.
NET_ERROR(SYN_REPLY_NOT_RECEIVED, -332)
// Converting the response to target encoding failed.
NET_ERROR(ENCODING_CONVERSION_FAILED, -333)
// The server sent an FTP directory listing in a format we do not understand.
NET_ERROR(UNRECOGNIZED_FTP_DIRECTORY_LISTING_FORMAT, -334)
// Obsolete.  Was only logged in NetLog when an HTTP/2 pushed stream expired.
// NET_ERROR(INVALID_SPDY_STREAM, -335)
// There are no supported proxies in the provided list.
NET_ERROR(NO_SUPPORTED_PROXIES, -336)
// There is an HTTP/2 protocol error.
NET_ERROR(HTTP2_PROTOCOL_ERROR, -337)
// Credentials could not be established during HTTP Authentication.
NET_ERROR(INVALID_AUTH_CREDENTIALS, -338)
// An HTTP Authentication scheme was tried which is not supported on this
// machine.
NET_ERROR(UNSUPPORTED_AUTH_SCHEME, -339)
// Detecting the encoding of the response failed.
NET_ERROR(ENCODING_DETECTION_FAILED, -340)
// (GSSAPI) No Kerberos credentials were available during HTTP Authentication.
NET_ERROR(MISSING_AUTH_CREDENTIALS, -341)
// An unexpected, but documented, SSPI or GSSAPI status code was returned.
NET_ERROR(UNEXPECTED_SECURITY_LIBRARY_STATUS, -342)
// The environment was not set up correctly for authentication (for
// example, no KDC could be found or the principal is unknown.
NET_ERROR(MISCONFIGURED_AUTH_ENVIRONMENT, -343)
// An undocumented SSPI or GSSAPI status code was returned.
NET_ERROR(UNDOCUMENTED_SECURITY_LIBRARY_STATUS, -344)
// The HTTP response was too big to drain.
NET_ERROR(RESPONSE_BODY_TOO_BIG_TO_DRAIN, -345)
// The HTTP response contained multiple distinct Content-Length headers.
NET_ERROR(RESPONSE_HEADERS_MULTIPLE_CONTENT_LENGTH, -346)
// HTTP/2 headers have been received, but not all of them - status or version
// headers are missing, so we're expecting additional frames to complete them.
NET_ERROR(INCOMPLETE_HTTP2_HEADERS, -347)
// No PAC URL configuration could be retrieved from DHCP. This can indicate
// either a failure to retrieve the DHCP configuration, or that there was no
// PAC URL configured in DHCP.
NET_ERROR(PAC_NOT_IN_DHCP, -348)
// The HTTP response contained multiple Content-Disposition headers.
NET_ERROR(RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION, -349)
// The HTTP response contained multiple Location headers.
NET_ERROR(RESPONSE_HEADERS_MULTIPLE_LOCATION, -350)
// HTTP/2 server refused the request without processing, and sent either a
// GOAWAY frame with error code NO_ERROR and Last-Stream-ID lower than the
// stream id corresponding to the request indicating that this request has not
// been processed yet, or a RST_STREAM frame with error code REFUSED_STREAM.
// Client MAY retry (on a different connection).  See RFC7540 Section 8.1.4.
NET_ERROR(HTTP2_SERVER_REFUSED_STREAM, -351)
// HTTP/2 server didn't respond to the PING message.
NET_ERROR(HTTP2_PING_FAILED, -352)
// Obsolete.  Kept here to avoid reuse, as the old error can still appear on
// histograms.
// NET_ERROR(PIPELINE_EVICTION, -353)
// The HTTP response body transferred fewer bytes than were advertised by the
// Content-Length header when the connection is closed.
NET_ERROR(CONTENT_LENGTH_MISMATCH, -354)
// The HTTP response body is transferred with Chunked-Encoding, but the
// terminating zero-length chunk was never sent when the connection is closed.
NET_ERROR(INCOMPLETE_CHUNKED_ENCODING, -355)
// There is a QUIC protocol error.
NET_ERROR(QUIC_PROTOCOL_ERROR, -356)
// The HTTP headers were truncated by an EOF.
NET_ERROR(RESPONSE_HEADERS_TRUNCATED, -357)
// The QUIC crytpo handshake failed.  This means that the server was unable
// to read any requests sent, so they may be resent.
NET_ERROR(QUIC_HANDSHAKE_FAILED, -358)
// Obsolete.  Kept here to avoid reuse, as the old error can still appear on
// histograms.
// NET_ERROR(REQUEST_FOR_SECURE_RESOURCE_OVER_INSECURE_QUIC, -359)
// Transport security is inadequate for the HTTP/2 version.
NET_ERROR(HTTP2_INADEQUATE_TRANSPORT_SECURITY, -360)
// The peer violated HTTP/2 flow control.
NET_ERROR(HTTP2_FLOW_CONTROL_ERROR, -361)
// The peer sent an improperly sized HTTP/2 frame.
NET_ERROR(HTTP2_FRAME_SIZE_ERROR, -362)
// Decoding or encoding of compressed HTTP/2 headers failed.
NET_ERROR(HTTP2_COMPRESSION_ERROR, -363)
// Proxy Auth Requested without a valid Client Socket Handle.
NET_ERROR(PROXY_AUTH_REQUESTED_WITH_NO_CONNECTION, -364)
// HTTP_1_1_REQUIRED error code received on HTTP/2 session.
NET_ERROR(HTTP_1_1_REQUIRED, -365)
// HTTP_1_1_REQUIRED error code received on HTTP/2 session to proxy.
NET_ERROR(PROXY_HTTP_1_1_REQUIRED, -366)
// The PAC script terminated fatally and must be reloaded.
NET_ERROR(PAC_SCRIPT_TERMINATED, -367)
// Obsolete. Kept here to avoid reuse.
// Request is throttled because of a Backoff header.
// See: crbug.com/486891.
// NET_ERROR(TEMPORARY_BACKOFF, -369)
// The server was expected to return an HTTP/1.x response, but did not. Rather
// than treat it as HTTP/0.9, this error is returned.
NET_ERROR(INVALID_HTTP_RESPONSE, -370)
// Initializing content decoding failed.
NET_ERROR(CONTENT_DECODING_INIT_FAILED, -371)
// Received HTTP/2 RST_STREAM frame with NO_ERROR error code.  This error should
// be handled internally by HTTP/2 code, and should not make it above the
// SpdyStream layer.
NET_ERROR(HTTP2_RST_STREAM_NO_ERROR_RECEIVED, -372)
// The pushed stream claimed by the request is no longer available.
NET_ERROR(HTTP2_PUSHED_STREAM_NOT_AVAILABLE, -373)
// A pushed stream was claimed and later reset by the server. When this happens,
// the request should be retried.
NET_ERROR(HTTP2_CLAIMED_PUSHED_STREAM_RESET_BY_SERVER, -374)
// An HTTP transaction was retried too many times due for authentication or
// invalid certificates. This may be due to a bug in the net stack that would
// otherwise infinite loop, or if the server or proxy continually requests fresh
// credentials or presents a fresh invalid certificate.
NET_ERROR(TOO_MANY_RETRIES, -375)
// Received an HTTP/2 frame on a closed stream.
NET_ERROR(HTTP2_STREAM_CLOSED, -376)
// Client is refusing an HTTP/2 stream.
NET_ERROR(HTTP2_CLIENT_REFUSED_STREAM, -377)
// A pushed HTTP/2 stream was claimed by a request based on matching URL and
// request headers, but the pushed response headers do not match the request.
NET_ERROR(HTTP2_PUSHED_RESPONSE_DOES_NOT_MATCH, -378)
// The server returned a non-2xx HTTP response code.
//
// Not that this error is only used by certain APIs that interpret the HTTP
// response itself. URLRequest for instance just passes most non-2xx
// response back as success.
NET_ERROR(HTTP_RESPONSE_CODE_FAILURE, -379)
// The certificate presented on a QUIC connection does not chain to a known root
// and the origin connected to is not on a list of domains where unknown roots
// are allowed.
NET_ERROR(QUIC_CERT_ROOT_NOT_KNOWN, -380)
// The cache does not have the requested entry.
NET_ERROR(CACHE_MISS, -400)
// Unable to read from the disk cache.
NET_ERROR(CACHE_READ_FAILURE, -401)
// Unable to write to the disk cache.
NET_ERROR(CACHE_WRITE_FAILURE, -402)
// The operation is not supported for this entry.
NET_ERROR(CACHE_OPERATION_NOT_SUPPORTED, -403)
// The disk cache is unable to open this entry.
NET_ERROR(CACHE_OPEN_FAILURE, -404)
// The disk cache is unable to create this entry.
NET_ERROR(CACHE_CREATE_FAILURE, -405)
// Multiple transactions are racing to create disk cache entries. This is an
// internal error returned from the HttpCache to the HttpCacheTransaction that
// tells the transaction to restart the entry-creation logic because the state
// of the cache has changed.
NET_ERROR(CACHE_RACE, -406)
// The cache was unable to read a checksum record on an entry. This can be
// returned from attempts to read from the cache. It is an internal error,
// returned by the SimpleCache backend, but not by any URLRequest methods
// or members.
NET_ERROR(CACHE_CHECKSUM_READ_FAILURE, -407)
// The cache found an entry with an invalid checksum. This can be returned from
// attempts to read from the cache. It is an internal error, returned by the
// SimpleCache backend, but not by any URLRequest methods or members.
NET_ERROR(CACHE_CHECKSUM_MISMATCH, -408)
// Internal error code for the HTTP cache. The cache lock timeout has fired.
NET_ERROR(CACHE_LOCK_TIMEOUT, -409)
// Received a challenge after the transaction has read some data, and the
// credentials aren't available.  There isn't a way to get them at that point.
NET_ERROR(CACHE_AUTH_FAILURE_AFTER_READ, -410)
// Internal not-quite error code for the HTTP cache. In-memory hints suggest
// that the cache entry would not have been useable with the transaction's
// current configuration (e.g. load flags, mode, etc.)
NET_ERROR(CACHE_ENTRY_NOT_SUITABLE, -411)
// The disk cache is unable to doom this entry.
NET_ERROR(CACHE_DOOM_FAILURE, -412)
// The disk cache is unable to open or create this entry.
NET_ERROR(CACHE_OPEN_OR_CREATE_FAILURE, -413)
// The server's response was insecure (e.g. there was a cert error).
NET_ERROR(INSECURE_RESPONSE, -501)
// An attempt to import a client certificate failed, as the user's key
// database lacked a corresponding private key.
NET_ERROR(NO_PRIVATE_KEY_FOR_CERT, -502)
// An error adding a certificate to the OS certificate database.
NET_ERROR(ADD_USER_CERT_FAILED, -503)
// An error occurred while handling a signed exchange.
NET_ERROR(INVALID_SIGNED_EXCHANGE, -504)
// An error occurred while handling a Web Bundle source.
NET_ERROR(INVALID_WEB_BUNDLE, -505)
// A Trust Tokens protocol operation-executing request failed for one of a
// number of reasons (precondition failure, internal error, bad response).
NET_ERROR(TRUST_TOKEN_OPERATION_FAILED, -506)
// When handling a Trust Tokens protocol operation-executing request, the system
// found that the request's desired Trust Tokens results were already present in
// a local cache; as a result, the main request was cancelled.
NET_ERROR(TRUST_TOKEN_OPERATION_CACHE_HIT, -507)
// *** Code -600 is reserved (was FTP_PASV_COMMAND_FAILED). ***
// A generic error for failed FTP control connection command.
// If possible, please use or add a more specific error code.
NET_ERROR(FTP_FAILED, -601)
// The server cannot fulfill the request at this point. This is a temporary
// error.
// FTP response code 421.
NET_ERROR(FTP_SERVICE_UNAVAILABLE, -602)
// The server has aborted the transfer.
// FTP response code 426.
NET_ERROR(FTP_TRANSFER_ABORTED, -603)
// The file is busy, or some other temporary error condition on opening
// the file.
// FTP response code 450.
NET_ERROR(FTP_FILE_BUSY, -604)
// Server rejected our command because of syntax errors.
// FTP response codes 500, 501.
NET_ERROR(FTP_SYNTAX_ERROR, -605)
// Server does not support the command we issued.
// FTP response codes 502, 504.
NET_ERROR(FTP_COMMAND_NOT_SUPPORTED, -606)
// Server rejected our command because we didn't issue the commands in right
// order.
// FTP response code 503.
NET_ERROR(FTP_BAD_COMMAND_SEQUENCE, -607)
// PKCS #12 import failed due to incorrect password.
NET_ERROR(PKCS12_IMPORT_BAD_PASSWORD, -701)
// PKCS #12 import failed due to other error.
NET_ERROR(PKCS12_IMPORT_FAILED, -702)
// CA import failed - not a CA cert.
NET_ERROR(IMPORT_CA_CERT_NOT_CA, -703)
// Import failed - certificate already exists in database.
// Note it's a little weird this is an error but reimporting a PKCS12 is ok
// (no-op).  That's how Mozilla does it, though.
NET_ERROR(IMPORT_CERT_ALREADY_EXISTS, -704)
// CA import failed due to some other error.
NET_ERROR(IMPORT_CA_CERT_FAILED, -705)
// Server certificate import failed due to some internal error.
NET_ERROR(IMPORT_SERVER_CERT_FAILED, -706)
// PKCS #12 import failed due to invalid MAC.
NET_ERROR(PKCS12_IMPORT_INVALID_MAC, -707)
// PKCS #12 import failed due to invalid/corrupt file.
NET_ERROR(PKCS12_IMPORT_INVALID_FILE, -708)
// PKCS #12 import failed due to unsupported features.
NET_ERROR(PKCS12_IMPORT_UNSUPPORTED, -709)
// Key generation failed.
NET_ERROR(KEY_GENERATION_FAILED, -710)
// Error -711 was removed (ORIGIN_BOUND_CERT_GENERATION_FAILED)
// Failure to export private key.
NET_ERROR(PRIVATE_KEY_EXPORT_FAILED, -712)
// Self-signed certificate generation failed.
NET_ERROR(SELF_SIGNED_CERT_GENERATION_FAILED, -713)
// The certificate database changed in some way.
NET_ERROR(CERT_DATABASE_CHANGED, -714)
// Error -715 was removed (CHANNEL_ID_IMPORT_FAILED)
// DNS error codes.
// DNS resolver received a malformed response.
NET_ERROR(DNS_MALFORMED_RESPONSE, -800)
// DNS server requires TCP
NET_ERROR(DNS_SERVER_REQUIRES_TCP, -801)
// DNS server failed.  This error is returned for all of the following
// error conditions:
// 1 - Format error - The name server was unable to interpret the query.
// 2 - Server failure - The name server was unable to process this query
//     due to a problem with the name server.
// 4 - Not Implemented - The name server does not support the requested
//     kind of query.
// 5 - Refused - The name server refuses to perform the specified
//     operation for policy reasons.
NET_ERROR(DNS_SERVER_FAILED, -802)
// DNS transaction timed out.
NET_ERROR(DNS_TIMED_OUT, -803)
// The entry was not found in cache or other local sources, for lookups where
// only local sources were queried.
// TODO(ericorth): Consider renaming to DNS_LOCAL_MISS or something like that as
// the cache is not necessarily queried either.
NET_ERROR(DNS_CACHE_MISS, -804)
// Suffix search list rules prevent resolution of the given host name.
NET_ERROR(DNS_SEARCH_EMPTY, -805)
// Failed to sort addresses according to RFC3484.
NET_ERROR(DNS_SORT_ERROR, -806)
// Error -807 was removed (DNS_HTTP_FAILED)
// Failed to resolve the hostname of a DNS-over-HTTPS server.
NET_ERROR(DNS_SECURE_RESOLVER_HOSTNAME_RESOLUTION_FAILED, -808)
复制代码

DEMO

github:ios-ats-demo

分类:
iOS
标签:
收藏成功!
已添加到「」, 点击更改