ios9自簽名證書和應用程序運輸安全

Question

我花了一段時間試圖讓這個工作。我有一個連接到的API，我試圖使用自簽名證書切換到SSL。我有控制服務器和應用程序。

我根據這個生成的自簽名的證書：

https://kyup.com/tutorials/create-ssl-certificate-nginx/

sudo openssl genrsa -des3 -out ssl.key 2048 
sudo openssl req -new -key ssl.key -out ssl.csr 
sudo cp ssl.key ssl.key.orig & sudo openssl rsa -in ssl.key.orig -out ssl.key 
sudo openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt 

我試過（NGINX）

ssl on; 
ssl_certificate /etc/nginx/ssl/ssl.crt; 
ssl_certificate_key /etc/nginx/ssl/ssl.key; 
ssl_session_timeout 5m; 
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; 
ssl_ciphers HIGH:!aNULL:!MD5; 
#ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; 
ssl_prefer_server_ciphers on; 

服務器上的一些配置選項，並在客戶端上我已經嘗試了一些與ATS不同的選項：

<key>NSAppTransportSecurity</key> 
<dict> 
    <key>NSAllowsArbitraryLoads</key> 
    <true/> 
</dict> 

和

<key>NSAppTransportSecurity</key> 
<dict> 
    <key>NSAllowsArbitraryLoads</key> 
    <true/> 
    <key>NSExceptionDomains</key> 
    <dict> 
     <key>test.example.com (NOT REALLY MY DOMAIN)</key> 
     <dict> 
      <key>NSExceptionAllowsInsecureHTTPLoads</key> 
      <true/> 
     </dict> 
    </dict> 
</dict> 

和

<key>NSAppTransportSecurity</key> 
<dict> 
    <key>NSAllowsArbitraryLoads</key> 
    <true/> 
    <key>NSExceptionDomains</key> 
    <dict> 
     <key>test.example.com (NOT REALLY MY DOMAIN)</key> 
     <dict> 
      <key>NSExceptionAllowsInsecureHTTPLoads</key> 
      <true/> 
      <key>NSExceptionRequiresForwardSecrecy</key> 
      <false/> 
      <key>NSExceptionMinimumTLSVersion</key> 
      <string>TLSv1.1</string> 
     </dict> 
    </dict> 
</dict> 

根據不同的ATS選項我得到的錯誤：

An SSL error has occurred and a secure connection to the server cannot be made. 

或

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813) 
The certificate for this server is invalid. You might be connecting to a server that is pretending to be 「MYDOMAIN」 which could put your confidential information at risk. 

任何想法？任何人都與自簽名的證書掙扎？

P.S.我在OS X 10.11.2 Beta，Xcode 7.1.1上

Answer 1

我想出了這個問題。它與App Transport Security無關。我必須確保iOS信任證書，因爲它不是來自可信機構。

古老的學校通過重寫NSURLRequest.allowsAnyHTTPSCertificateForHost方法不起作用。

由於我使用NSURLSession你有這個做：

- (id) init { 
    self = [super init]; 
    NSURLSessionConfiguration * config = [NSURLSessionConfiguration defaultSessionConfiguration]; 
    self.session = [NSURLSession sessionWithConfiguration:config delegate:self delegateQueue:[NSOperationQueue mainQueue]]; 
    return self; 
} 

- (void) URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler { 
    completionHandler(NSURLSessionAuthChallengeUseCredential,[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); 
} 

Answer 2

只需要.CER添加到SecTrust

func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) { 

    if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { 
     if let trust = challenge.protectionSpace.serverTrust, 
      let pem = Bundle.main.path(forResource: "https", ofType: "cer"), 
      let data = NSData(contentsOfFile: pem), 
      let cert = SecCertificateCreateWithData(nil, data) { 
      let certs = [cert] 
      SecTrustSetAnchorCertificates(trust, certs as CFArray) 

      completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust: trust)) 
      return 
     } 
    } 

    // Pinning failed 
    completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil) 
}