什么是kSecTrustResultRecoverableTrustFailure的原因? [英] What is the reason of kSecTrustResultRecoverableTrustFailure?
问题描述
我想通过一些额外的检查验证我的SSL服务器证书。有时我会得到一个
kSecTrustResultRecoverableTrustFailure
而不是
kSecTrustResultProceed
或 kSecTrustResultUnspecified
似乎如果
- md5散列(IOS5)
- 服务器不提供根证书和中间证书
-
SecTrustSetAnchorCertificatesOnly
已设置,并且锚点证书只在内置锚点证书中 - 证书已过期
这取决于用于评估信任的AppleX509TP策略。
我的问题是我不想信任链路是否失败,但我想信任如果使用MD5。
有没有办法找出为什么
另一种方法是从中提取
? CSSM_ALGID_MD5
SecCertificateRef
这可能是服务器证书问题....
检查此处
a>,我解决了我的 kSecTrustResultRecoverableTrustFailure 问题,将 subjectAltName = DNS:example.com
添加到openssl配置文件, 如果你不使用openssl来生成它,对不起,但我可以帮助你..无论如何,如果你想使用openssl,这里是一个很好的教程,生成这些键,然后与您自己的根证书颁发机构签署
在本教程中,我只是将openssl服务器配置文件更改为:
[server]
basicConstraints = CA:FALSE
keyUsage = digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server
subjectAltName = IP:10.0.1.5,DNS:office.totendev.com
希望它有帮助!
EDITED:
我的服务器评估代码:
#pragma mark - SERVER Auth Helper
//用challenge验证服务器证书
+(BOOL)validateServerWithChallenge:(NSURLAuthenticationChallenge *)challenge {
//获取服务器信任管理对象一个锚点对象来验证
SecTrustSetAnchorCertificates([challenge.protectionSpace serverTrust],(__bridge CFArrayRef)[self allowedCAcertificates]);
//设置为服务器信任管理对象以允许分配给它的锚定对象(ABOVE),并禁用苹果CA信任
SecTrustSetAnchorCertificatesOnly([challenge.protectionSpace serverTrust],YES);
//尝试评估它
SecTrustResultType evaluateResult = kSecTrustResultInvalid; // evaluate result
OSStatus sanityCheck = SecTrustEvaluate([challenge.protectionSpace serverTrust],& evaluateResult);
//检查没有求值错误
if(sanityCheck == noErr){
//检查结果
if([[self class] validateTrustResult:evaluateResult]){return是; }
}
// deny!
return NO;
}
//验证SecTrustResulType
+(BOOL)validateTrustResult:(SecTrustResultType)result {
switch(result){
case kSecTrustResultProceed:{TDLog(kLogLevelHandshake,nil ,@kSecTrustResultProceed); return YES; }
break;
case kSecTrustResultConfirm:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultConfirm); return YES; }
break;
case kSecTrustResultUnspecified:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultUnspecified); return YES; }
break;
case kSecTrustResultDeny:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultDeny); return YES; }
break;
case kSecTrustResultFatalTrustFailure:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultFatalTrustFailure); return NO; }
break;
case kSecTrustResultInvalid:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultInvalid); return NO; }
break;
case kSecTrustResultOtherError:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultOtherError); return NO; }
break;
case kSecTrustResultRecoverableTrustFailure:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultRecoverableTrustFailure); return NO; }
break;
default:{TDLog(kLogLevelHandshake,nil,@unkown certificate evaluate result type!denying ...); return NO; }
break;
}
}
希望现在有帮助:)!
I'd like to validate my ssl server certificates with some extra checks. And sometimes I get a
kSecTrustResultRecoverableTrustFailure
instead of
kSecTrustResultProceed
orkSecTrustResultUnspecified
It seems to happen if
- the certificate is md5 hashed (IOS5)
- the server does not present the root and intermediate certificates
- the
SecTrustSetAnchorCertificatesOnly(trust,YES)
is set and the anchor certificate is only in the built in anchor certificates - the certificate is expired
- ?
It depends on the AppleX509TP policy used to evaluate the trust.
My problem is I do not want to trust if the chain fails, but I want to trust if MD5 is used.
Is there a way to find out why the evaluation failed?
As an alternative is there a way to extract the CSSM_ALGID_MD5
from a SecCertificateRef
?
It may be a server certificate problem....
Check here, I solved my kSecTrustResultRecoverableTrustFailure problem, adding subjectAltName = DNS:example.com
into openssl config file, specifically in server key generation...
If you are not using openssl to generate it, I'm sorry but I can help you.. Anyway if you want to use openssl, here is a good tutorial to generate those keys and sign then with your own root certificate authority.
From this tutorial, I just changed my openssl server config file to:
[ server ] basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth nsCertType = server subjectAltName = IP:10.0.1.5,DNS:office.totendev.com
Hope it helps !
EDITED:
My Server evaluation code:
#pragma mark - SERVER Auth Helper
//Validate server certificate with challenge
+ (BOOL)validateServerWithChallenge:(NSURLAuthenticationChallenge *)challenge {
//Get server trust management object a set anchor objects to validate it
SecTrustSetAnchorCertificates([challenge.protectionSpace serverTrust], (__bridge CFArrayRef)[self allowedCAcertificates]);
//Set to server trust management object to JUST ALLOW those anchor objects assigned to it (ABOVE), and disable apple CA trusts
SecTrustSetAnchorCertificatesOnly([challenge.protectionSpace serverTrust], YES);
//Try to evalute it
SecTrustResultType evaluateResult = kSecTrustResultInvalid; //evaluate result
OSStatus sanityCheck = SecTrustEvaluate([challenge.protectionSpace serverTrust], &evaluateResult);
//Check for no evaluate error
if (sanityCheck == noErr) {
//Check for result
if ([[self class] validateTrustResult:evaluateResult]) { return YES ; }
}
//deny!
return NO ;
}
//Validate SecTrustResulType
+ (BOOL)validateTrustResult:(SecTrustResultType)result {
switch (result) {
case kSecTrustResultProceed: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultProceed"); return YES ; }
break;
case kSecTrustResultConfirm: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultConfirm"); return YES ; }
break;
case kSecTrustResultUnspecified: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultUnspecified"); return YES ; }
break;
case kSecTrustResultDeny: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultDeny"); return YES ; }
break;
case kSecTrustResultFatalTrustFailure: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultFatalTrustFailure"); return NO ; }
break;
case kSecTrustResultInvalid: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultInvalid"); return NO ; }
break;
case kSecTrustResultOtherError: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultOtherError"); return NO ; }
break;
case kSecTrustResultRecoverableTrustFailure: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultRecoverableTrustFailure"); return NO ; }
break;
default: { TDLog(kLogLevelHandshake,nil,@"unkown certificate evaluate result type! denying..."); return NO ; }
break;
}
}
Hope now it helps :) !
这篇关于什么是kSecTrustResultRecoverableTrustFailure的原因?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!