如何使用 AFNetworking 比较 SSL 证书 [英] How to compare SSL certificates using AFNetworking
问题描述
在我的 iPhone 应用中,我使用带有自签名 SSL 证书的 https 连接从服务器下载合理的数据(用户名和密码).
此应用仅供私人使用,不适用于生产.
我正在使用 AFNetworking 来管理 https 连接,但是,由于我的证书不是从 CA 签署的,为了使其工作,我必须添加AFURLConnectionOperation 类的标题如下:
#define _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ 1但是有了这个,我的应用程序将允许任何证书.
有没有办法只允许来自我的服务器的证书可能将其捆绑在应用程序中并将其与服务器在 https 连接中提供的证书进行比较?如果可能的话,在安全性方面是否有任何显着优势?
我对安全很陌生,有点困惑.
您正在寻找的术语是 SSL Pinning,其中应用验证已知证书或公钥是否与由远程服务器.
AFNetworking 支持使用证书或公钥进行固定.您需要将证书或公钥添加到您的应用程序包中,并通过设置 defaultSSLPinningMode 属性在 AFHttpClient 或 SSLPinningMode AFURLConnection 上的属性
您可以使用 AFSSLPinningModePublicKey 或 AFSSLPinningModeCertificate 固定.AFSSLPinningModeCertificate 意味着服务器的证书必须与包中的证书完全匹配.
AFSSLPinningModePublicKey 更加自由,意味着服务器的证书必须与捆绑包中的任何公钥或附加到捆绑包中证书的任何公钥匹配.
有一个 norelofollow"AppDotNet 示例中的固定模式.
In my iPhone app I'm using an https connection with a self-signed SSL certificate to download sensible data (username and password) from a server.
This app is for private use only, it is not meant for production.
I'm using AFNetworking to manage the https connection but, since my certificate isn't signed from a CA, in order to make it work I had to add the following to the header of the AFURLConnectionOperation class:
#define _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ 1
But with this my app will allow any certificate.
Is there a way to allow only the certificate from my server maybe bundling it in the app and comparing it with the certificate provided by the server in the https connection? And if it were possible, would there be any significant advantage in terms of security?
I'm very new to security and I'm kind of confused.
The term you're looking for is SSL Pinning, where the app verifies that a known certificate or public key matches one presented by a remote server.
AFNetworking supports both pinning with certificates or public keys. You'll need to add the certificate(s) or public key(s) to your app's Bundle, and enable the feature by setting either the defaultSSLPinningMode property on AFHttpClient or the SSLPinningMode property on AFURLConnectionOperation.
You can pin using AFSSLPinningModePublicKey or AFSSLPinningModeCertificate. AFSSLPinningModeCertificate means that the server's certificate must exactly match one of those in the bundle.
AFSSLPinningModePublicKey is more liberal and means that the server's certificate must match for any public key in the bundle, or any public key attached to certificates in the bundle.
There's an example of setting the pinning mode in the AppDotNet example.
这篇关于如何使用 AFNetworking 比较 SSL 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
