Ios 具有自签名证书的AF2.2 SSL固定
我想防止我的应用程序/服务器通信受到MITM攻击,因此我尝试设置SSL固定,但在使用自签名证书使其与AFNetworking 2.2一起工作时遇到问题。我认为主要是我如何生成证书的问题 我首先尝试根据以下内容生成自签名证书: 生成私钥:Ios 具有自签名证书的AF2.2 SSL固定,ios,ssl,nginx,openssl,afnetworking-2,Ios,Ssl,Nginx,Openssl,Afnetworking 2,我想防止我的应用程序/服务器通信受到MITM攻击,因此我尝试设置SSL固定,但在使用自签名证书使其与AFNetworking 2.2一起工作时遇到问题。我认为主要是我如何生成证书的问题 我首先尝试根据以下内容生成自签名证书: 生成私钥: sudo openssl genrsa -des3 -out server.key 2048 sudo openssl genrsa -out server.key 2048 生成签名请求,并在请求公用名称时使用域名: sudo openssl req -n
sudo openssl genrsa -des3 -out server.key 2048
sudo openssl genrsa -out server.key 2048
sudo openssl req -new -key server.key -out server.csr
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
sudo openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.cer
derserver {
listen 80;
listen 443;
server_name myapp.com;
passenger_enabled on;
root /var/www/myapp/current/public;
rails_env production;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
}
derAFHTTPSessionManagerclient.securityPolicy = [AFSecurityPolicy
policyWithPinningMode:AFSSLPinningModeCertificate];
AFServerTrustIsValidstatic BOOL AFServerTrustIsValid(SecTrustRef serverTrust) {
SecTrustResultType result = 0;
OSStatus status = SecTrustEvaluate(serverTrust, &result);
NSCAssert(status == errSecSuccess, @"SecTrustEvaluate error: %ld", (long int)status);
return (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed);
}
kSecTrustResultRecoverableTrustFailureallowInvalidCertificatesYESAFServerTrustIsValid[ req ]
default_md = sha1
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = United Kingdon
countryName_default = UK
countryName_min = 2
countryName_max = 2
localityName = Locality
localityName_default = London
organizationName = Organization
organizationName_default = Eric Organization
commonName = Common Name
commonName_max = 64
[ certauth ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
crlDistributionPoints = @crl
[ server ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server
subjectAltName = DNS:myapp.com
crlDistributionPoints = @crl
[ crl ]
URI=http://testca.local/ca.crl
sudo openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer
sudo openssl genrsa -des3 -out server.key 2048
sudo openssl genrsa -out server.key 2048
sudo openssl req -config ./openssl.cnf -new -key server.key -out server.req
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
sudo openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.cer
dersudo openssl x509 -outform der -in server.cer -out stopcastapp.com.der
server.derserver.cerkSecTrustResultRecoverableTrustFailure我做错了什么?我是不是觉得这一切都太离谱了,还是我只需要调整一件小事就可以让一切正常运转?如果你能提供任何帮助,我会非常非常感激(我已经讨论这个问题两天了)。谢谢!您需要在代码中的某个地方指定此项或类似项。您需要告诉代码接受无效证书(也称为自签名)
现在,我在Mac OS X上使用Keychain Assistant并通过覆盖AFNetworking 2.2如何对自签名证书进行固定来实现这一点。请注意,AFNetworking中对自签名证书的证书固定将很快得到修复。当它发生时,我将更新此帖子。这是AFNetworking问题吗?运气好吗?这方面有什么消息吗?