OpenSSL“;服务器';本地主机';需要客户端证书。”带有本地主机apache服务器的iOS 8
我面临OpenSSL证书创建和安装相关的问题,或者可能是由于NSURLConnection,我已经创建了OpenSSL证书 以下是错误的本地化说明OpenSSL“;服务器';本地主机';需要客户端证书。”带有本地主机apache服务器的iOS 8,ios,openssl,xampp,nsurlconnection,server-configuration,Ios,Openssl,Xampp,Nsurlconnection,Server Configuration,我面临OpenSSL证书创建和安装相关的问题,或者可能是由于NSURLConnection,我已经创建了OpenSSL证书 以下是错误的本地化说明 2015-07-24 14:47:32.279 SSLTest[7657:60489] CFNetwork SSLHandshake failed (-9824 -> -9829) 2015-07-24 14:47:32.347 SSLTest[7657:60489] NSURLConnection/CFURLConnection
2015-07-24 14:47:32.279 SSLTest[7657:60489] CFNetwork SSLHandshake failed (-9824 -> -9829)
2015-07-24 14:47:32.347 SSLTest[7657:60489] NSURLConnection/CFURLConnection
HTTP load failed (kCFStreamErrorDomainSSL, -9829)
2015-07-24 14:47:32.576 SSLTest[7657:60350] The server “localhost” requires a client certificate.
每次我收到“服务器'localhost'需要客户端证书”错误时
这是我的.m
- (void)viewDidLoad
{
[super viewDidLoad];
NSString *url = @"https://localhost/Test.php";
NSMutableURLRequest *theRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:url]];
[theRequest setHTTPMethod:@"POST"];
NSURLConnection *theConnection = [[NSURLConnection alloc] initWithRequest:theRequest delegate:self startImmediately:YES];
[theConnection start];
}
#pragma mark - NSURLConnectionDelegate
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodServerTrust) {
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
} else if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodClientCertificate) {
SecIdentityRef identity = [self getClientCertificate];
SecCertificateRef certificateRef;
SecIdentityCopyCertificate(identity, &certificateRef);
CFArrayRef certificateArray = CFArrayCreate(NULL, (const void **)certificateRef, 1, NULL);
NSURLCredential *identityCredential = [NSURLCredential credentialWithIdentity:identity certificates:(__bridge NSArray *)certificateArray persistence:NSURLCredentialPersistenceForSession];
[challenge.sender useCredential:identityCredential forAuthenticationChallenge:challenge];
}
}
- (void)connection:(NSURLConnection *)connection didFailWithError:(NSError *)error
{
NSLog(@"%@",[error localizedDescription]);
}
#pragma mark - Certificates
- (SecIdentityRef)getClientCertificate {
SecIdentityRef identityApp = nil;
NSString *thePath = [[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"];
NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:thePath];
CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data;
CFStringRef password = CFSTR("abcXYZ123");
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
OSStatus securityError = SecPKCS12Import(inPKCS12Data, options, &items);
CFRelease(options);
CFRelease(password);
if (securityError == errSecSuccess) {
NSLog(@"Success opening p12 certificate. Items: %ld", CFArrayGetCount(items));
CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
identityApp = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);
} else {
NSLog(@"Error opening Certificate.");
}
return identityApp;
}
我的httpd.config看起来像这样(我在本地mac mini系统上安装了BITNAMI XAMPP 5.6.8)
Alias/bitnami/“/Applications/XAMPP/xamppfiles/apache2/htdocs/”
别名/bitnami”/Applications/XAMPP/xamppfiles/apache2/htdocs“
斯伦金安
SSLCertificateFile/Applications/XAMPP/xamppfiles/apache2/htdocs/ca.crt
SSLCertificateKeyFile/Applications/XAMPP/xamppfiles/apache2/htdocs/ca_withoutPassword.key
SSLCACertificateFile/Applications/XAMPP/xamppfiles/apache2/htdocs/ca.crt
SSLVerifyClient要求
选项索引跟随符号链接
允许超越所有
命令允许,拒绝
通融
我尝试了SSLCertificateChainFile和SSLCertificateFile,但没有成功
如果我删除了“SSLVERYCLIENT require”并点击服务,那么我将收到authenticationMethod“NSURLAuthenticationMethodServerTrust”和正确的服务器响应
如果我在.config文件中添加了“SSLVERYCLIENT require”,那么NSURLConnection委托方法“willSendRequestForAuthenticationChallenge”将调用两次,一次使用'nsurauthenticationmethodservertrust',第二次使用'nsurauthenticationmethodclientcertificate',然后我会出现上述错误。我认为您的Apache设置是错误的;您将
SSLCACertificateFile
指向您的客户端证书,而客户端证书应仅位于客户端;您应该将其指向您的CA证书。这是用来验证客户端证书的
作为旁注,上面的配置确实不安全。切勿将任何SSL证书放在公共htdocs文件夹中。它们应该放在只有root用户可读的地方,而远程用户肯定无法访问。这样你就暴露在最恶劣的攻击之下
Alias /bitnami/ "/Applications/XAMPP/xamppfiles/apache2/htdocs/"
Alias /bitnami "/Applications/XAMPP/xamppfiles/apache2/htdocs"
SSLEngine on
SSLCertificateFile /Applications/XAMPP/xamppfiles/apache2/htdocs/ca.crt
SSLCertificateKeyFile /Applications/XAMPP/xamppfiles/apache2/htdocs/ca_withoutPassword.key
SSLCACertificateFile /Applications/XAMPP/xamppfiles/apache2/htdocs/ca.crt
SSLVerifyClient require
<Directory "/Applications/XAMPP/xamppfiles/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>