XMPPFramework - 在Openfire上通过SSL连接 [英] XMPPFramework - Connect via SSL on Openfire
问题描述
我正在尝试通过 SSL 将我的用户从我的iOS XMPP聊天客户端连接到Openfire服务器。
I'm trying to connect my users via SSL from my iOS XMPP chat client to Openfire server.
在我的中iOS 客户端:
- (void)setupStream
{
...
// BOOL values for security settings
customCertEvaluation = NO;
allowSelfSignedCertificates = YES;
allowSSLHostNameMismatch = NO;
}
在我的 Openfire 服务器的安全设置中 客户端连接安全,我设置:
In my Openfire server's Security Settings > Client Connection Security, I've set:
必填 - 客户端只能连接到使用安全连接的服务器。
因此,将调用以下委托方法:
Thus, the following delegate method will be called:
- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
NSString *expectedCertName = [xmppStream.myJID domain];
if (customCertEvaluation)
[settings setObject:@(YES) forKey:GCDAsyncSocketManuallyEvaluateTrust];
if (allowSelfSignedCertificates)
[settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLAllowsAnyRoot];
if (allowSSLHostNameMismatch)
[settings setObject:[NSNull null] forKey:(NSString *)kCFStreamSSLPeerName];
else
if (expectedCertName)
[settings setObject:expectedCertName forKey:(NSString *)kCFStreamSSLPeerName];
}
我从这个线程尝试了这个解决方案:与Openfire的XMPPFramework TLS / SSL连接
I attempted this solution from this thread: XMPPFramework TLS/SSL connection with Openfire
但是,当我运行我的应用程序并尝试连接到服务器时,我会收到此错误:
However, when I run my application and attempt to connect to the server, I'd receive this error:
安全选项不可用 - kCFStreamSSLAllowsAnyRoot - 您必须使用手动信任评估
我浏览了 GCDAsyncSocket
类并实现了 kCFStreamSSLAllowsAnyRoot
表示已弃用。实施NSAssert是为了故意抛出错误。
I looked through the GCDAsyncSocket
class and realized kCFStreamSSLAllowsAnyRoot
is stated as deprecated. An NSAssert was implemented to deliberately throw the error.
接下来,我决定改变我的BOOL值:
Next, I decided to change my BOOL values as such:
- (void)setupStream
{
...
// BOOL values for security settings
// Manually evaluate trust
customCertEvaluation = YES;
allowSelfSignedCertificates = NO;
allowSSLHostNameMismatch = NO;
}
这一次,再一次,没有连接到服务器但是,没有提示错误。
This time, again, no connection could be made to the server but, no error was prompted.
如果我将客户端连接安全性更改回原始设置> 可选,我可以很好地连接到Openfire。但是,我不会通过SSL连接,如客户端会话中每个用户状态旁边的 lock 图标所示。
I could connect to Openfire fine if I changed the Client Connection Security back to the original setting > Optional. But, I wouldn't be connected via SSL as indicated by a lock icon beside every user's status in Client Sessions.
我的Android客户端(使用Smack API for XMPP)通过SSL连接到Openfire没有问题。所以我想知道是否有必要使用XMPPFramework为我的iOS客户端实现的解决方法。
My Android client (using Smack API for XMPP) connects to Openfire via SSL without issues. So I'm wondering if there's workaround I have to implement for my iOS client using XMPPFramework.
我非常感谢任何建议。
推荐答案
解释
在最新版本的XMPP中( 4月22日之后),你可以不再使用 allowSelfSignedCertificates = YES
包含以下内容:
Explanation
In the latest version of XMPP (after April 22), you can no longer use allowSelfSignedCertificates = YES
with the following:
if (allowSelfSignedCertificates)
[settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLAllowsAnyRoot];`
这是因为 kCFStreamSSLAllowsAnyRoot
& SSLSetAllowsAnyRoot
已被弃用。
This is because kCFStreamSSLAllowsAnyRoot
& SSLSetAllowsAnyRoot
have been deprecated.
/*
* ==== The following UNAVAILABLE KEYS are: (with throw an exception)
* - kCFStreamSSLAllowsAnyRoot (UNAVAILABLE)
* You MUST use manual trust evaluation instead (see GCDAsyncSocketManuallyEvaluateTrust).
* Corresponding deprecated method: SSLSetAllowsAnyRoot
*/
参见 XMPPFramework / GCDAsyncSocket.h & 已弃用安全传输功能。
-
转到Openfire服务器>安全设置>客户端连接安全性
Go to Openfire server > Security Settings > Client Connection Security
检查:必需 - 客户端只能连接使用安全连接到服务器。
在AppDelegate中定义变量
Define variable in AppDelegate
BOOL customCertEvaluation;
在setupStream中设置变量
Set variable in setupStream
- (void)setupStream
{
...
customCertEvaluation = YES;
}
在willSecureWithSettings中设置安全设置
Set security settings in willSecureWithSettings
- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
/*
* Properly secure your connection by setting kCFStreamSSLPeerName
* to your server domain name
*/
[settings setObject:xmppStream.myJID.domain forKey:(NSString *)kCFStreamSSLPeerName];
/*
* Use manual trust evaluation
* as stated in the XMPPFramework/GCDAsyncSocket code documentation
*/
if (customCertEvaluation)
[settings setObject:@(YES) forKey:GCDAsyncSocketManuallyEvaluateTrust];
}
手动验证对等
Validate peer manually
/*
* This is only called if the stream is secured with settings that include:
* - GCDAsyncSocketManuallyEvaluateTrust == YES
* That is, if a delegate implements xmppStream:willSecureWithSettings:, and plugs in that key/value pair.
*/
- (void)xmppStream:(XMPPStream *)sender didReceiveTrust:(SecTrustRef)trust completionHandler:(void (^)(BOOL shouldTrustPeer))completionHandler
{
/* Custom validation for your certificate on server should be performed */
completionHandler(YES); // After this line, SSL connection will be established
}
这篇关于XMPPFramework - 在Openfire上通过SSL连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!