[英]Overriding TLS server validation hostname doesn't seem to be working
I'm trying to connect my app to a development server that has a server certificate with the wrong hostname, but it is signed by a trusted anchor certificate. 我正在尝试将我的应用程序连接到具有服务器证书且主机名错误的开发服务器,但该服务器由受信任的锚证书签名。 When I evaluate the server trust object, it fails as expected.
当我评估服务器信任对象时,它会按预期失败。 I am trying to change the trust evaluation policy for the server's hostname, but it doesn't seem to help.
我正在尝试更改服务器主机名的信任评估策略,但似乎无济于事。
// In -connection:willSendRequestForAuthenticationChallenge:
// NSURLAuthenticationMethodServerTrust
SecTrustRef trust = [challenge.protectionSpace serverTrust];
SecTrustResultType trustResult;
SecTrustEvaluate(trust, &trustResult);
// trustResult == kSecTrustResultRecoverableTrustFailure
SecPolicyRef policyOverride = SecPolicyCreateSSL(true, (CFStringRef)@"devhost");
CFArrayRef policies = (CFArrayRef)@[policyOverride];
SecTrustSetPolicies(trust, policies);
CFRelease(policyOverride);
SecTrustEvaluate(trust, &trustResult);
// trustResult == kSecTrustResultRecoverableTrustFailure
As far as I understand, the second time I call SecTrustEvaluate(), it should be returning kSecTrustResultUnspecified
. 据我了解,我第二次调用SecTrustEvaluate(),它应该返回
kSecTrustResultUnspecified
。 I have connected to the dev server using "devhost" when I initialized the NSURLConnection, and challenge.protectionSpace.host == @"devhost"
as well. 初始化NSURLConnection时,我已经使用“ devhost”连接到开发服务器,并且也
challenge.protectionSpace.host == @"devhost"
。 What am I doing wrong here? 我在这里做错了什么?
I was using the wrong host name in the call to SecPolicyCreateSSL
. 我在对
SecPolicyCreateSSL
的调用中使用了错误的主机名。
When using SecPolicyCreateSSL
to override hostname validation, the hostname argument should be one that matches the certificate you're validating. 使用
SecPolicyCreateSSL
覆盖主机名验证时,hostname参数应为与要验证的证书匹配的参数。 Then the validation pretends that the host you're communicating with has the newly specified hostname. 然后,验证将假设您正在与之通信的主机具有新指定的主机名。
In my case, the server has a certificate for "*.mydomain.tld", so I call 在我的情况下,服务器具有“ * .mydomain.tld”的证书,因此我打电话给
SecPolicyCreateSSL(true, (CFStringRef)@"devhost.mydomain.tld");
and then the certificate chain can be successfully validated. 然后可以成功验证证书链。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.