How to cancel a persistent connection using NSURLConnection?

转载 2013年12月05日 14:37:52


Is it possible to destroy a persistent connection that has been created with NSURLConnection? I need to be able to destroy the persistent connection and do another SSL handshake.

As it is now, calling [conn cancel] leaves a persistent connection behind that gets used with the next connection request to that host, which I don't want to happen.


As it turns out, I believe the Secure Transport TLS session cache is to blame.

I also asked the question on the apple developer forums, and got a response from an Apple person. He pointed me to this Apple sample code readme where it says:

At the bottom of the TLS stack on both iOS and Mac OS X is a component known as Secure Transport. Secure Transport maintains a per-process TLS session cache. When you connect via TLS, the cache stores information about the TLS negotiation so that subsequent connections can connect more quickly. The on-the-wire mechanism is described at the link below.

This presents some interesting gotchas, especially while you're debugging. For example, consider the following sequence:

  1. You use the Debug tab to set the TLS Server Validation to Disabled.

  2. You connect to a site with a self-signed identity. The connection succeeds because you've disabled TLS server trust validation. This adds an entry to the Secure Transport TLS session cache.

  3. You use the Debug tab to set the TLS Server Validation to Default.

  4. You immediately connect to the same site as you did in step 2. This should fail, because of the change in server trust validation policy, but it succeeds because you never receive an NSURLAuthenticationMethodServerTrust challenge. Under the covers, Secure Transport has resumed the TLS session, which means that the challenge never bubbles up to your level.

  5. On the other hand, if you delay for 11 minutes between steps 3 and 4, things work as expected (well, fail as expected :-). This is because Secure Transport's TLS session cache has a timeout of 10 minutes.

In the real world this isn't a huge problem, but it can be very confusing during debugging. There's no programmatic way to clear the Secure Transport TLS session cache but, as the cache is per-process, you can avoid this problem during debugging by simply quitting and relaunching your application. Remember that, starting with iOS 4, pressing the Home button does not necessarily quit your application. Instead, you should use quit the application from the recent applications list.

So, based on that, a user would have to either kill their app and restart it or wait more than 10 minutes before sending another request.

I did another google search with this new information and found this Apple technical Q&A article that matches this problem exactly. Near the bottom, it mentions adding a trailing '.' to domain names (and hopefully IP addresses) for requests in order to force a TLS session cache miss (if you can't modify the server in some way, which I can't), so I am going to try this and hopefully it will work. I will post my findings after I test it.

### EDIT ###

I tested adding a '.' to the end of the ip address, and the request was still completed successfully.

But I was thinking about the problem in general, and there's really no reason to force another SSL handshake. In my case, the solution to this problem is to keep a copy of the last known SecCertificateRef that was returned from the server. When making another request to the server, if a cached TLS session is used (connection:didReceiveAuthenticationChallenge: was not called), we know that the saved SecCertificateRef is still valid. If connection:didReceiveAuthenticationChallenge: is called, we can get the new SecCertificateRef at that time.



How to Make an HTTP Connection Using TCP/IP with RSocket

Reviewer Approved     The following code shows how to make an HTTP connection using a TCP/IP wit...

Core Data Versioning How to migrate your Core Data persistent store

Core Data Versioning How to migrate your Core Data persistent store by Marcus S. Zarra Introductio...



Connection to Auxilary using connect string failed with ORA-12528 [ID 419440.1]

Connection to Auxilary using connect string failed with ORA-12528 [ID 419440.1] Modified 15-FEB-2011...

using the Connector/J connection property 'autoReconnect=true' to avoid this problem.

日志:using the Connector/J connection property 'autoReconnect=true' to avoid this problem.   \ 订阅 ...

How to known Android data connection reset? (socket side)


How to keep CoreBluetooth connection alive between views

How to keep CoreBluetooth connection alive between views asked by Simon Bøgh on Jan 11 2016 23:05...

How to configure SSL +External connection for IBM TDS6.2 LDAP server

Before you start to do those configuration, you should prepare some tools. 1.Tools ikeyman from ...

如何关闭Golang中的HTTP连接 How to Close Golang's HTTP connection


CentOS7: How to resolve curl#56 - "Recv failure: Connection reset by peer"

Issue: When you execute Yum installation or update, you may encounter following error: Loaded plugin...

How to configure the C3P0 connection pool in Hibernate

Connection PoolConnection pool is good for performance, as it prevents Java application create a con...