XMPPFramework - 在Openfire上通过SSL连接 [英] XMPPFramework - Connect via SSL on Openfire

问题描述

我正在尝试通过 SSL 将我的用户从我的iOS XMPP聊天客户端连接到Openfire服务器。

I'm trying to connect my users via SSL from my iOS XMPP chat client to Openfire server.

在我的中iOS 客户端：

- (void)setupStream 
{
    ...
    // BOOL values for security settings
    customCertEvaluation = NO;
    allowSelfSignedCertificates = YES;
    allowSSLHostNameMismatch = NO;
}

在我的 Openfire 服务器的安全设置中 客户端连接安全，我设置：

In my Openfire server's Security Settings > Client Connection Security, I've set:

必填 - 客户端只能连接到使用安全连接的服务器。

因此，将调用以下委托方法：

Thus, the following delegate method will be called:

- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings 
{
    NSString *expectedCertName = [xmppStream.myJID domain];

    if (customCertEvaluation)
        [settings setObject:@(YES) forKey:GCDAsyncSocketManuallyEvaluateTrust];

    if (allowSelfSignedCertificates)
        [settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLAllowsAnyRoot];

    if (allowSSLHostNameMismatch)
        [settings setObject:[NSNull null] forKey:(NSString *)kCFStreamSSLPeerName];

    else
        if (expectedCertName)
            [settings setObject:expectedCertName forKey:(NSString *)kCFStreamSSLPeerName];
}

我从这个线程尝试了这个解决方案：与Openfire的XMPPFramework TLS / SSL连接

I attempted this solution from this thread: XMPPFramework TLS/SSL connection with Openfire

但是，当我运行我的应用程序并尝试连接到服务器时，我会收到此错误：

However, when I run my application and attempt to connect to the server, I'd receive this error:

安全选项不可用 - kCFStreamSSLAllowsAnyRoot - 您必须使用手动信任评估

我浏览了 GCDAsyncSocket 类并实现了 kCFStreamSSLAllowsAnyRoot 表示已弃用。实施NSAssert是为了故意抛出错误。

I looked through the GCDAsyncSocket class and realized kCFStreamSSLAllowsAnyRoot is stated as deprecated. An NSAssert was implemented to deliberately throw the error.

接下来，我决定改变我的BOOL值：

Next, I decided to change my BOOL values as such:

- (void)setupStream 
{
    ...
    // BOOL values for security settings
    // Manually evaluate trust
    customCertEvaluation = YES;
    allowSelfSignedCertificates = NO;
    allowSSLHostNameMismatch = NO;
}

这一次，再一次，没有连接到服务器但是，没有提示错误。

This time, again, no connection could be made to the server but, no error was prompted.

如果我将客户端连接安全性更改回原始设置> 可选，我可以很好地连接到Openfire。但是，我不会通过SSL连接，如客户端会话中每个用户状态旁边的 lock 图标所示。

I could connect to Openfire fine if I changed the Client Connection Security back to the original setting > Optional. But, I wouldn't be connected via SSL as indicated by a lock icon beside every user's status in Client Sessions.

我的Android客户端（使用Smack API for XMPP）通过SSL连接到Openfire没有问题。所以我想知道是否有必要使用XMPPFramework为我的iOS客户端实现的解决方法。

My Android client (using Smack API for XMPP) connects to Openfire via SSL without issues. So I'm wondering if there's workaround I have to implement for my iOS client using XMPPFramework.

我非常感谢任何建议。

推荐答案

解释

在最新版本的XMPP中（ 4月22日之后），你可以不再使用 allowSelfSignedCertificates = YES 包含以下内容：

Explanation

In the latest version of XMPP (after April 22), you can no longer use allowSelfSignedCertificates = YES with the following:

if (allowSelfSignedCertificates)
    [settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLAllowsAnyRoot];`

这是因为 kCFStreamSSLAllowsAnyRoot & SSLSetAllowsAnyRoot 已被弃用。

This is because kCFStreamSSLAllowsAnyRoot & SSLSetAllowsAnyRoot have been deprecated.

 /* 
  * ==== The following UNAVAILABLE KEYS are: (with throw an exception)
  * - kCFStreamSSLAllowsAnyRoot (UNAVAILABLE)
  *     You MUST use manual trust evaluation instead (see GCDAsyncSocketManuallyEvaluateTrust).
  *     Corresponding deprecated method: SSLSetAllowsAnyRoot
  */

参见 XMPPFramework / GCDAsyncSocket.h & 已弃用安全传输功能。

1. 转到Openfire服务器>安全设置>客户端连接安全性

1. Go to Openfire server > Security Settings > Client Connection Security

检查：必需 - 客户端只能连接使用安全连接到服务器。

在AppDelegate中定义变量

Define variable in AppDelegate

BOOL customCertEvaluation;

在setupStream中设置变量

Set variable in setupStream

- (void)setupStream 
{
    ...
    customCertEvaluation = YES;
}

在willSecureWithSettings中设置安全设置

Set security settings in willSecureWithSettings

- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
    /*
     * Properly secure your connection by setting kCFStreamSSLPeerName 
     * to your server domain name
     */
    [settings setObject:xmppStream.myJID.domain forKey:(NSString *)kCFStreamSSLPeerName];

    /*
     * Use manual trust evaluation
     * as stated in the XMPPFramework/GCDAsyncSocket code documentation
     */
    if (customCertEvaluation)
        [settings setObject:@(YES) forKey:GCDAsyncSocketManuallyEvaluateTrust];
}

手动验证对等

Validate peer manually

/*
 * This is only called if the stream is secured with settings that include:
 * - GCDAsyncSocketManuallyEvaluateTrust == YES
 * That is, if a delegate implements xmppStream:willSecureWithSettings:, and plugs in that key/value pair.
 */
 - (void)xmppStream:(XMPPStream *)sender didReceiveTrust:(SecTrustRef)trust completionHandler:(void (^)(BOOL shouldTrustPeer))completionHandler
 {
     /* Custom validation for your certificate on server should be performed */

     completionHandler(YES); // After this line, SSL connection will be established
 }

这篇关于XMPPFramework - 在Openfire上通过SSL连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！