IBM MobileFirst证书固定最佳实践 [英] IBM MobileFirst certificate pinning best practices

问题描述

我们正在开发IBM MobileFirst 7.1 Hybrid移动应用程序，并计划使用证书固定功能。

We are developing an IBM MobileFirst 7.1 Hybrid mobile application, and planning to use the certificate pinning feature.

我们可以在IBM网站上找到有关SSL证书固定的信息在IBM MobileFirst网站上：以下是IBM知识中心的一篇文章和这是一个教程和其示例项目/代码

We can find information on IBM website about the SSL certificate pinning on IBM MobileFirst website : Here is a post in the IBM Knowledge Center and Here is a tutorial and its sample project/code

所有这些资源都很棒，但我有一些问题：

All these resources are great, but I have some questions :

• 当我的应用程序是混合应用程序时，使用Android和iOS的本机证书固定实现有什么好处吗？


• 如果我使用混合环境代码，SSL证书是否会包含在wlapp中，然后可以使用直接更新进行更新？


• WindowsPhone 8上的证书锁定工作的混合实现（适用于Silverlight环境的混合应用程序）？


• 在教程视频中，我看到当SSL固定为ON时，我们在外面调用URL我们的服务器（例如谷歌）它将失败。如果我启用证书固定，这是否意味着谷歌地图将无法加载？


• 撤销SSL证书会发生什么？


• SSL证书过期后会发生什么？


• 更新我们的服务器SSL证书时，保证证书固定工作和应用程序运行的最佳SSL续订策略是什么？

• Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?
• If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?
• Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?
• In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?
• What happen when the SSL certificate is revoked ?
• What happen when the SSL certificate is expired ?
• What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?

请建议

推荐答案

当我的应用程序是一个时，使用Android和iOS的本机证书固定实现是否有任何优势混合应用程序？

Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?

您始终可以编写自己的代码来执行固定，或使用第三方Cordova插件。但是没有一个能够通过使用提供的功能向您保证获得的支持水平。请注意，您仅限于提供的功能（例如，MobileFirst的证书固定仅限于单个目标主机，而不是多个）。

You can always write your own code that does the pinning, or use 3rd party Cordova plug-ins. But none of those assure you the level of support you get by using the provided functionality. Note that you are then limited to the functionality provided (for example, certificate pinning by MobileFirst is restricted to a single destination host and not multiple).

如果我使用混合环境代码，SSL证书是否会包含在wlapp中，然后可以使用直接更新进行更新？

If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?

您需要在客户端和服务器中都拥有证书。您不需要使用直接更新来更新客户端上的证书。

You need to have the certificate in both the client and the server. You do not need to use Direct Update to update the certificate on the client.

它的工作方式是您只需更新服务器上的证书，但是您必须保持相同的公钥，以防你更新它

The way it works is that you need to only update the certificate on the server, but you must maintain the same public key in case you do update it

证书固定的混合实现是否适用于WindowsPhone 8（适用于Silverlight的混合应用程序）环境）？

Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?

如文档中所述，证书固定仅支持：原生iOS，原生Android，混合iOS或混合Android

As mentioned in the documentation, certificate pinning supports only: "native iOS, native Android, and hybrid iOS or hybrid Android"

在教程视频中，我看到当SSL固定为ON时，我们在服务器外调用了一个URL（例如google） ）它会失败。这是否意味着如果我启用证书固定，谷歌地图将无法加载？

In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?

固定仅与绑定到MobileFirst服务器的请求有关而不是其他服务。

The pinning relates only to requests that are bound to the MobileFirst Server and not to other services.

撤销SSL证书会发生什么？

What happen when the SSL certificate is revoked ?

绑定到MobileFirst Server的请求将失败。

Requests that are bound to the MobileFirst Server will fail.

SSL证书是什么时候发生的已过期？

What happen when the SSL certificate is expired ?

绑定到MobileFirst Server的请求将失败。

Requests that are bound to the MobileFirst Server will fail.

在更新我们的服务器SSL证书时，保证证书固定工作和应用程序运行的最佳SSL续订策略是什么？

What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?

因为您只需要更新服务器上的证书，您只需要确保使用与以前相同的公钥。

Because you only need to update the certificat eon the server, you only need to make sure to keep using the same public key as before.

这篇关于IBM MobileFirst证书固定最佳实践的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！