自签名SSL证书是否真的不适用于Phonegap客户端应用程序？ [英] Are self-signed SSL certs really inapplicable with Phonegap client apps?

问题描述

这个问题涉及两个领域：一般的SSL证书和Phonegap / Cordova相关的功能。

The question addresses two fields: SSL certificates in general and Phonegap/Cordova related capabilities.

首先让我简要介绍一下我们的案例：我们正在创建一个简单的系统由一个用Phonegap（客户端）编写的移动应用程序和一个带有RESTful API的HTTP（S）服务器组成。一些机密数据应该来回传递。客户端也应该使用两条腿OAuth进行身份验证。

At first let me briefly describe our case: we're creating a simple system consisting of a mobile app written in Phonegap (a client) and a HTTP(S) server with a RESTful API. Some confidential data should be transfered back and forth. The client should be authenticated with two-legged OAuth as well.

系统已关闭，即我们不打算将其扩展到超过单个桌面应用程序，它将被配置一次并连续工作。

The system is closed, i.e. we're not planning to expand it to more than that single desktop app, it's about to be configured once and work continuously.

但是，由于某些原因，我们无法将这些东西放在封闭的网络中以仅使用纯HTTP。

From some reasons, however, we can't put these things in a closed network to use just pure HTTP.

所以，我猜，HTTPS是唯一的方法。

So, I guess, HTTPS is the only way.

现在，问题是：

1. Phonegap的安全指南指出，使用
   HTTPS是没有意义的，如果它使用自签名证书而不是
   a CA颁发的证书。

1. The Phonegap's Security Guide states that there is no point in using HTTPS if it uses self-signed certificate as opposed to one issued by a CA.

另一方面， Clint Harris在他的回答中解释说
如果我们以
的价格分发自签名证书，则自签名证书完全有效。

On the other hand, Clint Harris explains in his answer that self-signed certs are perfectly valid, if we distribute them on our own.

一个附加证书问题是Phonegap不允许你通过HTTPS执行
对RESTful API的AJAX调用 - 唯一的方法是
启用调试模式或简单地破解它。

One additional problem is that Phonegap won't allow you to perform such AJAX calls to the RESTful API via HTTPS - the only way is to enable the debug mode or simply hack it.

这就是为什么我们完全糊涂了。

That's why we're totally confused.

毕竟，哪种方法--1或2 - 在我们的封闭系统案例中有效/适用，我们如何解决最后一个问题？ 3）问题？此外，任何其他解释将不胜感激。

After all, which approach - 1 or 2 - is valid/applicable in our closed-system case and how can we solve the last (3) problem? Also, any additional explanation would be appreciated.

推荐答案

• 自签名证书有效从视图中的安全点仅如果您在cordova中实现证书固定

  • self-signed certificate are valid from a security point on view only if you implement certificate pinning

    您无法实现证书锁定因为android不允许你访问。

    in cordova you don't have the ability to implement certificate pinning because android don't give you access to.

    总之，更简单，更安全的方法就是使用证书系统信任。

    In conclusion, the easier and safer way is to use certificate already trusted by the system.

    这篇关于自签名SSL证书是否真的不适用于Phonegap客户端应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！