持续得到kSecTrustResultRecoverableTrustFailure而信任评估 - iphone [英] Continuously getting kSecTrustResultRecoverableTrustFailure while trust evaluation - iphone

问题描述

我想安全地与我的服务器通信，这里是我正在做的...

I want to securely communicate with my server and here is what I am doing...

NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
SecTrustRef trust = [protectionSpace serverTrust];
NSURLCredential *credential = [NSURLCredential credentialForTrust:trust];

    SecPolicyRef myPolicy = SecPolicyCreateBasicX509();

NSArray * certs = [[NSArray alloc] initWithObjects:(id)certificate,nil]; //certificate is my server's cert.
credential = [NSURLCredential credentialForTrust:trust];

    SecTrustSetAnchorCertificates(trust,
                                  (CFArrayRef) [NSArray arrayWithObject:(id) certificate ]);    

OSStatus status = SecTrustCreateWithCertificates(certs, myPolicy, &trust);

SecTrustResultType trustResult = 0;

if (status == noErr) {
    status = SecTrustEvaluate(trust, &trustResult);
}

    NSLog(@"Trust I get: %d", trustResult);
[certs release];

if (trustResult == kSecTrustResultRecoverableTrustFailure) {
    NSLog(@"Recoverable Failure");
    CFAbsoluteTime trustTime,currentTime,timeIncrement,newTime;
    CFDateRef newDate;

    trustTime = SecTrustGetVerifyTime(trust);             
    timeIncrement = 31536000;                               
    currentTime = CFAbsoluteTimeGetCurrent();              
    newTime = currentTime - timeIncrement;                  
    if (trustTime - newTime){                               
        newDate = CFDateCreate(NULL, newTime);              
        SecTrustSetVerifyDate(trust, newDate);            
        status = SecTrustEvaluate(trust, &trustResult);   
    }
    NSLog(@"Trust again:%d", trustResult);// AGAIN kSecTrustResultRecoverableTrustFailure(5) over here

}

任何人都知道为什么它正在发生...
似乎它不是关于证书的过期也可以是原因。

Anybody has idea why it is happening... Seems it is not about the expiration of the certificate (which is not in reality as well) but could be the reason.

谢谢

al

推荐答案

SecTrustResultRecoverableTrustFailure 会发生，如果

• 证书是md5 hashing（IOS5）


• 服务器不提供根证书和中间证书


• 设置了SecTrustSetAnchorCertificatesOnly（trust，YES）只有内建的锚定凭证


• 凭证已过期


• ？

• the certificate is md5 hashed (IOS5)
• the server does not present the root and intermediate certificates
• the SecTrustSetAnchorCertificatesOnly(trust,YES) is set and the anchor certificate is only in the built in anchor certificates
• the certificate is expired
• ?

我解决了我的问题，通过配置Web服务器发送整个证书链而不是只有服务器证书。

I solved my problem by configuring the webserver to send the whole certificate chain instead of only the server certificate.

通过配置我的apache mod_ssl：
https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile

By configuring my apache mod_ssl: https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile

这篇关于持续得到kSecTrustResultRecoverableTrustFailure而信任评估 - iphone的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！