上篇文章讲了iOS和服务器如何从官方机构请求CA证书进行https配置,这里我们来讲讲如何自建证书来配置https,针对AFNetworking网络框架和苹果自带框架NSURLConnection。
AFNetworking
1.把服务器给你的自签证的证书放入bundle一般是.cer文件
2.创建afnnetworking 安全策略对象,并设置发起请求manager的安全策略属性.设置了安全策略属性,afnnetworking会自动扫描bundl里的证书.
3.最坑的是 iOS9新出的App Transport Security 也就是要我们把所有请求从 HTTP改成HTTPS的家伙, 它竟然不认自签证的证书. 苹果大爷难道真是土豪惯了,以为我们开发者都会买ca的证书吗. 解决办法就是那里还是要设置在Info.plist中添加NSAppTransportSecurity类型Dictionary在NSAppTransportSecurity下添加NSAllowsArbitraryLoads类型 Boolean,值设为YES
NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"https" ofType:@"cer"];
NSData *certData = [NSData dataWithContentsOfFile:cerPath];
//AFSSLPinningModeCertificate 使用证书验证模式
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
//allowInvalidCertificates 是否允许无效证书(也就是自建的证书),默认为NO
//如果是需要验证自建证书,需要设置为YES
securityPolicy.allowInvalidCertificates = YES;
securityPolicy.validatesDomainName = NO;
NSSet *set = [[NSSet alloc] initWithObjects:certData, nil];
securityPolicy.pinnedCertificates = set;
AFHTTPSessionManager *manager = [AFHTTPSessionManager manager];
manager.requestSerializer = [AFJSONRequestSerializer serializer];
manager.responseSerializer=[AFJSONResponseSerializer serializer];
manager.responseSerializer.acceptableContentTypes = [manager.responseSerializer.acceptableContentTypes setByAddingObject:@"text/html"];
[manager setSecurityPolicy:securityPolicy];
NSURLConnection
NSURLConnection 使用自签证证书支持HTTPS,只需要在实现NSURLConnection的代理方法即可. 参考GitHub JacksonTian
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace{
return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
static CFArrayRef certs;
if (!certs) {
//创建证书data
NSData*certData =[NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"HTTPS" ofType:@"cer"]];
SecCertificateRef rootcert = SecCertificateCreateWithData(kCFAllocatorDefault,CFBridgingRetain(certData));
const void *array[1] = { rootcert };
certs = CFArrayCreate(NULL, array, 1, &kCFTypeArrayCallBacks);
// CFRelease(rootcert); // for completeness, really does not matter
}
SecTrustRef trust = [[challenge protectionSpace] serverTrust];
int err;
SecTrustResultType trustResult = 0;
err = SecTrustSetAnchorCertificates(trust, certs);
if (err == noErr) {
err = SecTrustEvaluate(trust,&trustResult);
}
// BOOL trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed)||(trustResult == kSecTrustResultConfirm) || (trustResult == kSecTrustResultUnspecified));
BOOL trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));
if (trusted) {
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
}
else{
[challenge.sender cancelAuthenticationChallenge:challenge];
}
//CFRelease(trust);
}
