使用NSURLConnection的应用程序的iPhone自定义CA证书?
[英]iPhone Custom CA certificate for an application which uses NSURLConnection?
问题描述
I have an application which is communicating with many different sites and each site has its own SSL certificate signed by our own internal CA. 
我有一个与许多不同站点通信的应用程序,每个站点都有自己的SSL证书,由我们自己的内部CA签名。 Doing this prevents us the need from purchasing SSL certificates for each site (hundreds or thousands) and is more secure then using a wildcard certificate with a shared key on each of those sites. 这样做可以防止我们为每个站点购买SSL证书(数百或数千),并且在每个站点上使用带有共享密钥的通配符证书时更安全。 So, basically using a CA certificate is the only way. 因此,基本上使用CA证书是唯一的方法。
Right now, I have a mobileprovision file which will install the CA certificate as a profile on the phone. 现在,我有一个mobileprovision文件,它将CA证书作为配置文件安装在手机上。 When our iPhone application launches if it gets an SSL Certificate error it redirects to a this mobile provision file via Safari and the user will be prompted to install the CA. 如果我们的iPhone应用程序在获得SSL证书错误时启动,它将通过Safari重定向到此移动配置文件,系统将提示用户安装CA.
The problem is that I am concerned that the Apple AppStore might deny my app for doing this (Just some feedback from other developers at this point), and I wanted to research other ways to accomplish this. 问题是我担心Apple AppStore可能会拒绝我的应用程序(此时只是来自其他开发人员的一些反馈),我想研究其他方法来实现这一目标。
Basically what I need to accomplish is allow an SSL connection which will verify against a custom CA certificate which will be embedded in my application. 基本上我需要完成的是允许SSL连接,该连接将验证将嵌入我的应用程序中的自定义CA证书。 This will make the CA certificate active for only the calls I make. 这将使CA证书仅对我拨打的电话有效。 I am using the standard NSURLConnection methods in order to communicate with the service. 我使用标准的NSURLConnection方法来与服务进行通信。
Is this possible? 这可能吗? Can someone show me how to load the CA (what form PEM?) and add it to the list of trusted CA certificates for my application? 有人可以告诉我如何加载CA(PEM的形式是什么?)并将其添加到我的应用程序的可信CA证书列表中? If that is not possible what other options do I have? 如果那是不可能的,我还有其他选择吗? Just trusting all certificates isn't really any option, we want to prevent man in the middle attacks and only trust our CA issued certificates. 只是信任所有证书并不是真正的选择,我们希望防止中间人攻击并且只信任我们的CA颁发的证书。
Thanks! 谢谢!
1 个解决方案
解决方案1
1 2010-09-29 13:00:46
Use the below two delegate method of NSURLConnection to access any site with invalid certificate 使用NSURLConnection的以下两个委托方法访问具有无效证书的任何站点
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
{
NSLog(@"canAuthenticateAgainstProtectionSpace");
if([[protectionSpace authenticationMethod] isEqualToString:NSURLAuthenticationMethodServerTrust]) {
// Note: this is presently only called once per server (or URL?) until
// you restart the app
NSLog(@"Authentication checking is doing");
return YES; // Self-signed cert will be accepted
// Note: it doesn't seem to matter what you return for a proper SSL cert
// only self-signed certs
}
return NO;
}
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
NSLog(@"didReceiveAuthenticationChallenge");
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
{
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
NSLog(@"chalenging protection space authentication checking");
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.