SSL套接字连接iOS [英] SSL Socket connection iOS
问题描述
我正在尝试建立与java运行SSLServerSocket的安全连接。
I am trying to setup a secure connection to a java run SSLServerSocket.
我已经创建了自己的根CA,并且已经签署了使用Java SSLServerSocket的证书这个证书。
I have created my own root CA, and have signed the certificate that the Java SSLServerSocket using this certificate.
我想将这个根证书添加到我的应用程序中,以便根证书签署的任何证书都能正常工作。
I want to add this root certificate to my app so that any certificate signed by the root certificate will work.
到目前为止,我通过将读取和写入流属性设置为此来使安全连接正常工作:
So far I have the secure connection working fine by setting the read and write stream properties to this:
NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
(id)kCFStreamSocketSecurityLevelNegotiatedSSL, kCFStreamPropertySocketSecurityLevel,
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates,
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredRoots,
[NSNumber numberWithBool:NO], kCFStreamSSLValidatesCertificateChain,nil];
我将证书添加到钥匙串中,如下所示:
I add the certificate to the keychain like this:
-(void)addRootCert{
NSString* rootCertPath = [[NSBundle mainBundle] pathForResource:@"rootCA" ofType:@"der"];
NSData* rootCertData = [NSData dataWithContentsOfFile:rootCertPath];
OSStatus err = noErr;
SecCertificateRef rootCert = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)rootCertData);
NSDictionary* dict = [NSDictionary dictionaryWithObjectsAndKeys:(__bridge_transfer id)kSecClassCertificate, kSecClass, rootCert, kSecValueRef, nil];
err = SecItemAdd((__bridge CFDictionaryRef) dict, NULL);
if (err == noErr) {
NSLog(@"Sucessfully added root certificate");
}else if (err == errSecDuplicateItem){
NSLog(@"Root certificate already exists");
}else{
NSLog(@"Root certificate add failed");
}
}
这很好,但我想验证证书链,以便我的应用程序只接受我的CA(或默认的受信任的)签名的证书
This is fine but I want to validate the certificate chain, so that my app only accepts certificates signed by my CA (or the default trusted ones)
我该怎么做?
如果我将 kCFStreamSSLValidatesCertificateChain 设置为是,我收到错误: CFNetwork SSLHandshake失败(-9807)但如果不是,那么谁签署服务器证书无关紧要,无论如何都会连接(我认为是对的?)
If I set kCFStreamSSLValidatesCertificateChain to yes, I get the error: CFNetwork SSLHandshake failed (-9807) but if it's no, it doesn't matter who signed the server certificate, it will connect regardless (I assume that's right?)
谢谢!
推荐答案
Technote 2232 ,HTTPS服务器信任评估,应该具备您需要的所有答案。有文档和几个如何评估服务器信任的示例。
Technote 2232, "HTTPS Server Trust Evaluation", should have all the answers you need. There is documentation and several examples of how to evaluate server trust.
这篇关于SSL套接字连接iOS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
