Worklight开发需要签名的SSL证书吗? [英] Is a signed SSL certificate required for Worklight development?
问题描述
我正在使用Worklight 6.0版中的演示,我需要使用从iOS和Android到Worklight Server的SSL。
有什么方法可以使用Worklight服务器中的自签名或测试证书?或者我是否需要从其中一个标准CA购买证书,即使是测试/演示?
我已经看到了如何在Android系统中导入我的证书的参考信任商店,看起来很有前途,但我没有看到任何与iOS相同的东西。有许多本机代码解决方法(完全禁用SSL证书验证)以及关于哪个解决方案工作/不起作用的大量讨论(并且没有讨论我能找到的iOS 7上仍然有效的方法)。 / p>
将证书导入Android系统信任库是开发的最佳方法吗?
是否有一个简单的解决方案iOS允许自签名或测试证书不完全禁用证书检查?
好的。我没有找到通用答案,也没有找到接受特定证书的方法,但在iOS和Android上,可以禁用客户端证书验证以进行开发和测试。
在Android中,默认的Manifest 已经配置为忽略证书验证。默认情况下,AndroidManifest.xml中的Application元素具有以下属性:
android:debuggable =true
使用此设置,客户端不会验证服务器提供的SSL证书。所以在Android上,自签名证书默认工作。要记住的重要一点是,当您从开发转移到生产时,将此属性设置为false非常重要。当该属性设置为false时,客户端将验证服务器提供的证书,因此您将需要生产服务器的真实签名证书。 (有道理)
在iOS中,有几个建议的解决方案,我正在使用的是将以下内容添加到我的<结尾处。应用名称> .m文件:
@implementation NSURLRequest(DataController)
+(BOOL)allowAnyHTTPSCertificateForHost:(NSString * )主持人
{
返回YES;
}
@end
从我收集的信息来看,这是一个未发布的API ,并且覆盖它是不好的形式,但是它有效,而且仅用于开发,所以我将继续使用它。
I假设我可能很聪明,并且在盲目返回YES之前检查我的Worklight Server的主机名,但无论如何,添加上面的代码确实允许我的应用程序在工作光服务器上使用SSL和自签名证书。
在应用投入生产之前,需要删除这两个解决方案,因为它们使应用容易受到中间人攻击。但是对于开发/早期测试/演示,他们允许SSL而无需获得真正的签名证书。
I'm working on a demo in Worklight version 6.0 where I need to use SSL from iOS and Android to the Worklight Server.
Is there any way to use a self-signed or test certificate in the Worklight server? Or do I need to buy a certificate from one of the standard CAs even for test/demo?
I've seen references to how to import my certificate in the Android system trust store, and that looks promising, but I'm not seeing anything equivalent for iOS. There are a number of native code workarounds (which net out to disabling SSL certificate verification altogether) along with much discussion about which solution works/doesn't work (and no discussion of what still works on iOS 7 that I can find).
Is importing the certificate into the Android system truststore the best approach for development?
Is there a simple solution for iOS that allows for self-signed or test certificate that doesn't disable certificate checking entirely?
OK. I didn't find a general purpose answer, or a way to accept a particular certificate, but on iOS and Android, it is possible to disable client side certificate validation for development and test.
In Android, the default Manifest is already configured to ignore certificate validation. By default, the Application element in AndroidManifest.xml has an attribute:
android:debuggable="true"
With this setting, the client does not validate the SSL certificate presented by the server. So on Android, self-signed certs just work by default. The important thing to keep in mind is that when you move from development to production, it is important to set this attribute to false. When the attribute is set to false, the client validates the cert presented by the server, and so you will need a real signed cert for the production server. (makes sense)
In iOS, there are several proposed solutions, The one I'm using is to add the following to the end of my < App Name >.m file:
@implementation NSURLRequest(DataController)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
return YES;
}
@end
From what I gather, this is a unpublished API, and overriding it is bad form, but it works, and this is only for development, so I'm going with it.
I suppose I could be clever, and check for the hostname of my Worklight Server before blindly returning YES, but in any case, the addition of the code above does allow my app to use SSL with a self signed cert at the worklight server.
Both of these "solutions" need to be removed before the app is put into production, as they leave the app vulnerable to a man-in-the-middle attack. But for development/early test/demo they allow SSL without having to get real signed certificates.
这篇关于Worklight开发需要签名的SSL证书吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
