在 iOS 13 上为 WebSocket over TLS 信任自签名证书
[英]Trust self-signed certificates on iOS 13 for WebSocket over TLS
问题描述
I have an iOS application running on iOS 13.3 device (iPhone XR) that launches a local websocket server listening on 127.0.0.1:9002 inside my app using Swift NIO Transport Services.
我有一个在 iOS 13.3 设备(iPhone XR)上运行的 iOS 应用程序,它使用 Swift NIO 传输服务启动一个本地 websocket 服务器,在我的应用程序内侦听 127.0.0.1:9002。
I have a self-signed certificate I use to set up the TLS options within Swift NIO.我有一个自签名证书,用于在 Swift NIO 中设置 TLS 选项。 This certificate matches the requirements specified by Apple here : Requirements for trusted certificates in iOS 13 and macOS 10.15 .此证书符合 Apple 在此处指定的要求: iOS 13 和 macOS 10.15 中受信任证书的要求。 The Root CA is explicitly trusted on my device and respects also the requirements.根 CA 在我的设备上被明确信任并且也遵守这些要求。
Inside my app, I load a WKWebView that displays the website : https://www.websocket.org/echo.html .在我的应用程序中,我加载了一个显示网站的 WKWebView: https ://www.websocket.org/echo.html。
When I try to connect to : wss://127.0.0.1:9002, I always get the same error :当我尝试连接到:wss://127.0.0.1:9002 时,我总是遇到相同的错误:
WebSocket network error: The operation couldn't be completed.
Which in the Security framework stands for :在安全框架中代表:
errSSLXCertChainInvalid
I'd like to point out that everything works fine when I try the same steps without TLS.我想指出,当我在没有 TLS 的情况下尝试相同的步骤时,一切正常。
Any idea what am I doing wrong with my certificates ?知道我的证书有什么问题吗? I am struggling with it since a couple of days.几天以来我一直在努力解决它。 Thanks.谢谢。
EDIT: I found the cause of my problem, I forgot to add the full correct chain of certificate on the server side, thus the client could not verify correctly the identity of the server because I had only the server certificate and not the entire certificate chain including the intermediate certificate and the root CA.编辑:我找到了问题的原因,我忘记在服务器端添加完整正确的证书链,因此客户端无法正确验证服务器的身份,因为我只有服务器证书而不是整个证书链包括中间证书和根 CA。
1 个解决方案
解决方案1
0 2020-05-02 16:32:32
I created a package to handle sockets written in Obj-C for iOS, and it takes into account the latest TLS restrictions that Apple has imposed (which is the problem you are running into).我创建了一个包来处理用 Obj-C 编写的用于 iOS 的套接字,它考虑了 Apple 施加的最新 TLS 限制(这是您遇到的问题)。 Check out the github page for my helper class, there is a lot of good info about how to create the certificates correctly given the new restrictions.查看我的助手类的 github 页面,有很多关于如何在新限制的情况下正确创建证书的好信息。 If you don't, you won't be able to make a handshake.如果你不这样做,你将无法握手。
https://github.com/eamonwhiter73/IOSObjCWebSockets/tree/master https://github.com/eamonwhiter73/IOSObjCWebSockets/tree/master
Also, specifically - with your error, it is recognizing that the certificate "chain" (CA->intermediate CA->server certificate) is invalid.此外,特别是 - 由于您的错误,它认识到证书“链”(CA-> 中间 CA-> 服务器证书)无效。 Any part of that chain could be causing the problem, and if you aren't using an intermediate CA to sign the server certificate, it also might not work - I never really tested to that point.该链的任何部分都可能导致问题,如果您不使用中间 CA 来签署服务器证书,它也可能无法正常工作 - 我从未真正测试过。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.