我们如何告诉CFStream使用一组锚证书? [英] How can we tell a CFStream to use a set of anchor certificates?

问题描述

我知道我们可以使用给定SecTrustRef的SecTrustSetAnchorCertificates().但是，使用CFStreams，只有握手后才能获得信任对象.一种解决方法似乎是使用kCFStreamSSLValidatesCertificateChain属性在CFStream上禁用证书链验证，然后使用kCFStreamPropertySSLPeerCertificates获取对等证书，从这些证书创建信任并自己评估信任.

I know we can use SecTrustSetAnchorCertificates() given a SecTrustRef. But with CFStreams, we can get the trust object only after the hand shake. One workaround seems to be to disable certificate chain verification on the CFStream using the kCFStreamSSLValidatesCertificateChain property and then get the peer certificates using kCFStreamPropertySSLPeerCertificates, create a trust from those certificates and evaluate the trust ourselves.

但是，如果我们只告诉CFStream使用一组证书作为锚，那将会更加干净.我希望太多吗?

But it would be a lot cleaner if we could just tell CFStream to use an array of certs as anchor. Am I hoping for too much?

推荐答案

eskimo1如此回答:

eskimo1 from Apple Devforums answered this so:

首先，使用kCFStreamSSLValidatesCertificateChain禁用自动信任评估.

First, disable automatic trust evaluation using kCFStreamSSLValidatesCertificateChain.

第二，一旦流启动并运行(我通常在可以接受字节"或有字节可用"消息处理中执行此操作)，请使用kCFStreamPropertySSLPeerTrust从流中获取SecTrust对象，并亲自评估该信任.如果信任评估失败，请删除该流.

Second, once the stream is up and running (I typically do this in my 'can accept bytes' or 'has bytes available' message handling), get the SecTrust object from the stream using kCFStreamPropertySSLPeerTrust and evaluate that trust for yourself. If the trust evaluation fails, tear down the stream.

这篇关于我们如何告诉CFStream使用一组锚证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！