SSL固定和AFNetworking 2.5.0的问题(NSURLErrorDomain错误-1012。) [英] Problems with SSL Pinning and AFNetworking 2.5.0 (NSURLErrorDomain error -1012.)
问题描述
我们一直很难使用AFNetworking 2.5.0通过SSL保护应用程序的网络连接。
We’ve been having a hard time securing our app’s network connections with SSL using AFNetworking 2.5.0.
我们使用自签名证书颁发机构并实现了
We use a self-signed certificate authority and implemented a custom security policy using pinned certificates.
我们已经测试了AFNetworking提供的许多配置,但到目前为止还不是很幸运。我们收到的错误消息是:
We’ve tested quite a few configurations provided by AFNetworking but have not been lucky so far. The error message we receive is:
2015-01-05 19:03:07.191 AppName [9301:319051]更新用户$ b时出错$ b的旅程。错误:错误域= NSURLErrorDomain代码= -1012
操作无法完成。(NSURLErrorDomain错误-1012。)
UserInfo = 0x7ae056b0
{NSErrorFailingURLKey = https://api.XXX.com/XXX/XXX/ ,
NSErrorFailingURLStringKey = https://api.XXX.com/XXX/XXX/ }
我们的证书可以在其他客户端(例如cURL和Android)上正常工作。使用HTTP时,我们的实现也可以正常工作。
Our certificate works fine on other clients such as cURL and Android. When using HTTP, our implementation works perfectly fine too.
有人知道与固定证书和AFNetworking相关的任何问题吗?如果是,我们将不胜感激您可能拥有的任何指针。
Is anyone aware of any issues related to pinned certificates and AFNetworking? If yes, we’d appreciate any pointers you may have.
这是实现的一部分:
+ (AFSecurityPolicy*)customSecurityPolicy {
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeNone];
NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"filename" ofType:@"der"];
NSData *certData = [NSData dataWithContentsOfFile:cerPath];
[securityPolicy setAllowInvalidCertificates:NO];
[securityPolicy setValidatesCertificateChain:NO];
[securityPolicy setPinnedCertificates:@[certData]];
return securityPolicy;
}
+ (AFHTTPRequestOperationManager*)customHttpRequestOperationManager {
AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager];
manager.securityPolicy = [self customSecurityPolicy]; // SSL
return manager;
}
+(void)getRequestWithUrl:(NSString*)url success:(void(^)(AFHTTPRequestOperation *operation, id responseObject))success failure:(void(^) (AFHTTPRequestOperation *operation, NSError *error))failure {
[[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:YES];
AFHTTPRequestOperationManager *manager = [HttpClient customHttpRequestOperationManager];
manager.responseSerializer = [AFHTTPResponseSerializer serializer];
[manager GET:url parameters:nil success:^(AFHTTPRequestOperation *operation, id responseObject) {
[[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:NO];
success(operation, responseObject);
} failure:^(AFHTTPRequestOperation *operation, NSError *error) {
[[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:NO];
failure(operation, error);
}];
}
谢谢!
推荐答案
仔细阅读AFNetworking代码&并检查更改日志,这是我要做的事情。
After reading through the AFNetworking code & and checking the change logs, here's what I had to do to get this working.
使用AFSSLPinningModeCertificate创建AFSecurityPolicy对象:
Create your AFSecurityPolicy object with AFSSLPinningModeCertificate:
AFSecurityPolicy* policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
默认情况下,AFNetworking将验证证书的域名。我们的证书是基于每个服务器生成的,并非所有证书都具有域名,因此我们需要禁用该域名:
By default, AFNetworking will validate the domain name of the certificate. Our certificates are generated on a per-server basis, and not all of them will have a domain name, so we need to disable that:
[policy setValidatesDomainName:NO];
由于证书是自签名的,因此从技术上讲它们是无效的,因此我们需要允许以及:
Since the certificates are self-signed, they are technically 'invalid', so we need to allow that as well:
[policy setAllowInvalidCertificates:YES];
最后,AFNetworking会尝试在整个证书链中一直对证书进行验证。就像它只会沿着我们的CA链走,但无论出于何种原因,我们都必须禁用它:
Lastly, AFNetworking will attempt to validate the certificate all the way up the certificate chain, which to me seems like it would only go up the chain to OUR CA, but for whatever reason it doesn't, so we have to disable that too:
[policy setValidatesCertificateChain:NO];
就是这样!像您已经在做的那样在您的请求管理器中设置安全策略,它应该可以正常工作。
And that's it! Set the security policy in your request manager like you're already doing and it should work fine.
因此,回顾一下,您真正需要更改已发布代码的所有内容是这样的:
So, recap, all you really need to change in the code you posted is this:
A)如 David Caunt 所述,将固定模式从 AFSSLPinningModeNone 更改为 AFSSLPinningModeCertificate
A) As David Caunt mentioned, change your pinning mode from AFSSLPinningModeNone to AFSSLPinningModeCertificate
和
B)添加以下行以禁用验证域名: [policy setValidatesDomainName:NO]
B) Add the line to disable validating the domain name: [policy setValidatesDomainName:NO]
另一个说明,AFNetworking现在会自动检查文件包中是否包含.cer文件,因此,如果您要重命名证书以具有.cer扩展名,则可以消除获取证书的代码数据包中的数据并设置固定的证书。
Another note, AFNetworking now automatically checks your bundle for .cer files, so if you were to rename your certificate to have a .cer extension, you can eliminate the code to get the certificate data out of the bundle and set the pinned certificates.
这篇关于SSL固定和AFNetworking 2.5.0的问题(NSURLErrorDomain错误-1012。)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
