使用AFNetworking进行SSL固定 [英] SSL Pinning with AFNetworking

问题描述

在我的应用程序中，我使用https和自签名SSL证书来保护我的客户端和服务器之间的连接。

我试图让AFNetworking库在应用程序中捆绑的证书副本上执行SSL固定。

在我定义的 AFURLConnectionOperation 标题中两者：

  #define _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ = 1 
 #define _AFNETWORKING_PIN_SSL_CERTIFICATES_ = 1 
  

在我的 AFJSONRequestOperation start 之前$ c>我将 SSLPinningMode 属性设置为 AFSSLPinningModeCertificate 。

<但是，当尝试执行JSON请求时，我不断收到以下错误：

 错误域= NSURLErrorDomain代码= -1012操作无法完成。
（NSURLErrorDomain错误-1012。）UserInfo = 0x758f120 
 {NSErrorFailingURLKey = https://mydomain.com, 
 NSErrorFailingURLStringKey = https://mydomain.com} 
  

在 AFURLConnectionOperation header我读到SSL Pinning与.cer证书一起使用但在我自己托管的OS X网络服务器中我有一个.crt证书。

这是问题？有没有办法让AFNetworking与.crt一起工作？

在Windows框中我将.crt转换为.cer并尝试将其捆绑到我的应用程序中但我仍然得到同样的错误。即使在服务器端，我是否应该尝试使用新创建的.cer切换.crt文件？

解决方案

我让它工作了。

我遇到过这种情况，我已经创建了一个自签名证书，可以从我的iOS应用程序中点击我自己的服务器API。
我用OpenSSL创建了我的证书。当我完成创建它时，我有几个文件，其中一个是server.crt。最初，我尝试将其重命名为server.cer，并为我的AFURLConnectionOperation对象使用AFSSLPinningModeCertificate。这没用，我注意到这个例子使用了AFSSLPinningModePublicKey，所以我试过了，但仍然没有运气。

所以我比较了我的文件（这是重命名的 .crtfile到他的。

我注意到server.crt是base64编码的，就像这样：

  ----- BEGIN CERTIFICATE ----- 
 394230AFDFD ... 
 ----- END CERTIFICATE ----- 
  

我注意到Mattt在AFNetworking中的例子中他使用的adn.cer文件不是base64编码的。它只是原始字节。
所以，我这样做了：

  $ base64 -D -i ./server.crt -o ./server .cer 
  

我将AFURLConnectionOperation设置为AFSSLPinningModePublicKey。

我把它放回去该项目并完成了我的iOS项目的清理和构建，一切正常。

希望这会有所帮助!!

顺便说一下，你可能会注意到Xcode会显示你的.crt或.cer键的信息，无论它是base64还是原始的，所以不要让你感到困惑。你应该能够在任何一种情况下看到证书数据，只是AF只接受原始（非base64）。

UPDATE：

任何人遇到base64问题，这对我在OS X上使用OpenSSL有用：

  $ openssl base64 -d -in ./server.crt -out ./server.cer 
  

In my app I'm using https and a self-signed SSL certificate to secure the connection between my client and the server.

I was trying to have the AFNetworking library do SSL Pinning on a copy of my certificate bundled in the app.

In the AFURLConnectionOperation header I defined both:

#define _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ =1
#define _AFNETWORKING_PIN_SSL_CERTIFICATES_ =1

And before calling the start on my AFJSONRequestOperation I set the SSLPinningMode property to AFSSLPinningModeCertificate.

But when trying to perform a JSON request I keep getting the following error:

Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. 
(NSURLErrorDomain error -1012.)" UserInfo=0x758f120 
{NSErrorFailingURLKey=https://mydomain.com,
NSErrorFailingURLStringKey=https://mydomain.com}

In the AFURLConnectionOperation header I read that the SSL Pinning works with .cer certificates but in my self-hosted OS X webserver I have a .crt certificate.

Is this the problem? Is there a way to make AFNetworking work with .crt?

On a windows box I converted my .crt to .cer and tried to bundle that into my app but I still get the same error. Should I try to switch the .crt file with the newly created .cer even on the server side?

解决方案

I got it working.

I was in the situation where I had created a self-signed cert for to hit my own server API from my iOS App. I created my cert with OpenSSL. When I was done creating it, I had several files, one of which was "server.crt". Initially, I tried just renaming it to "server.cer", and using "AFSSLPinningModeCertificate" for my AFURLConnectionOperation objects. That did not work, and I noticed the example uses "AFSSLPinningModePublicKey", so I tried that, still no luck.

So I compared my file (that was the renamed ".crt" file) to his.
I noticed that "server.crt" was base64-encoded, and like this:

-----BEGIN CERTIFICATE-----
394230AFDFD... 
-----END CERTIFICATE-----

I noticed from Mattt's example in AFNetworking that the "adn.cer" file he uses is not base64-encoded. It is just raw bytes. So, I did this:

$ base64 -D -i ./server.crt -o ./server.cer

I set my AFURLConnectionOperation to AFSSLPinningModePublicKey.
I put that back in the project and did a clean and build of my iOS project, and everything worked fine.

Hope this helps!!

Btw, you may notice that Xcode will display info for for your ".crt" or ".cer" key whether it is the base64 or the raw one, so don't let that confuse you. You should be able to see the certificate data in either case, it's just that AF will only accept the raw (non-base64) one.

UPDATE:
Anyone having trouble with base64, this what works for me on OS X using OpenSSL:

$ openssl base64 -d -in ./server.crt -out ./server.cer

这篇关于使用AFNetworking进行SSL固定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！