我有以下简单的代码来连接到一个 SSL 网页。
NSMutableURLRequest *urlRequest=[NSMutableURLRequest requestWithURL:url];
[ NSURLConnection sendSynchronousRequest: urlRequest returningResponse: nil error: &error ];
除非证书是自签名的,否则会产生错误:Error Domain=NSURLErrorDomain Code=-1202 UserInfo=0xd29930 "untrusted server certificate". 有没有办法设置它来接受连接(就像在浏览器中可以按接受一样),或者有什么方法可以绕过这个问题?
有支持这样做的API!将以下内容添加到您的NSURLConnection委托中:
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
if ([trustedHosts containsObject:challenge.protectionSpace.host])
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
}
connection:didReceiveAuthenticationChallenge: 可以在必要时向用户呈现对话框之后再将其消息发送到 challenge.sender(晚得多)。CFNetwork APIs的包装。他们最近引入了使用-setValidatesSecureCertificate: API允许使用自签名或不受信任的证书进行HTTPS连接的功能。如果您不想拉入整个库,可以使用源代码作为实现相同功能的参考。场景A:您连接到使用自签名证书的测试环境。
场景B:您正在使用MITM代理(如Burp Suite、Fiddler、OWASP ZAP等)代理HTTPS流量。代理将返回由自签名CA签名的证书,以便代理能够捕获HTTPS流量。
出于显而易见的原因,生产主机永远不应使用未经信任的证书。
如果您需要iOS模拟器接受未经信任的证书进行测试,则强烈建议您不要更改应用程序逻辑以禁用NSURLConnection API提供的内置证书验证。如果在删除此逻辑之前向公众发布应用程序,则该应用程序将容易受到中间人攻击。
接受未经信任的证书进行测试的推荐方法是将签署证书的证书颁发机构(CA)证书导入到iOS模拟器或iOS设备中。我写了一篇快速博客文章,演示了如何在iOS模拟器上做到这一点:
为了增强安全性,除了接受的答案外,您可以将服务器证书或自己的根CA证书添加到钥匙串中 (https://dev59.com/C2435IYBdhLWcg3wlRQf#9941559),但仅这样做不会使NSURLConnection自动验证您的自签名服务器。 您仍然需要将以下代码添加到您的NSURLConnection委托中,它是从苹果示例代码AdvancedURLConnections中复制的,并且需要将两个文件(Credentials.h、Credentials.m)从苹果示例代码添加到您的项目中。
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
// if ([trustedHosts containsObject:challenge.protectionSpace.host])
OSStatus err;
NSURLProtectionSpace * protectionSpace;
SecTrustRef trust;
SecTrustResultType trustResult;
BOOL trusted;
protectionSpace = [challenge protectionSpace];
assert(protectionSpace != nil);
trust = [protectionSpace serverTrust];
assert(trust != NULL);
err = SecTrustEvaluate(trust, &trustResult);
trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));
// If that fails, apply our certificates as anchors and see if that helps.
//
// It's perfectly acceptable to apply all of our certificates to the SecTrust
// object, and let the SecTrust object sort out the mess. Of course, this assumes
// that the user trusts all certificates equally in all situations, which is implicit
// in our user interface; you could provide a more sophisticated user interface
// to allow the user to trust certain certificates for certain sites and so on).
if ( ! trusted ) {
err = SecTrustSetAnchorCertificates(trust, (CFArrayRef) [Credentials sharedCredentials].certificates);
if (err == noErr) {
err = SecTrustEvaluate(trust, &trustResult);
}
trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));
}
if(trusted)
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
}
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
}
NSURLRequest有一个名为setAllowsAnyHTTPSCertificate:forHost:的私有方法,该方法将正好执行您想要的操作。您可以通过分类在NSURLRequest上定义allowsAnyHTTPSCertificateForHost:方法,并将其设置为针对您要覆盖的主机返回YES。
我对此无法负责,但是我找到的这个方法非常适合我的需求。 shouldAllowSelfSignedCert 是我的BOOL变量。只需添加到您的NSURLConnection委托中,您就可以在每个连接上快速绕过SSL检查。
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)space {
if([[space authenticationMethod] isEqualToString:NSURLAuthenticationMethodServerTrust]) {
if(shouldAllowSelfSignedCert) {
return YES; // Self-signed cert will be accepted
} else {
return NO; // Self-signed cert will be rejected
}
// Note: it doesn't seem to matter what you return for a proper SSL cert
// only self-signed certs
}
// If no other authentication is required, return NO for everything else
// Otherwise maybe YES for NSURLAuthenticationMethodDefault and etc.
return NO;
}
Info.plist中通过在NSAppTransportSecurity字典中设置NSAllowsArbitraryLoads为YES来覆盖此行为。然而,我建议仅出于测试目的覆盖此设置。
有关信息,请参阅应用传输技术说明此处。
NSUrlConnection对象的情况下非常有用。其中一个例子是NSXMLParser,它将打开您提供的URL,但不会公开NSURLRequest或NSURLConnection。allowsAnyHTTPSCertificateForHost:方法。您必须使用NSURLConnectionDelegate以允许HTTPS连接,并且在iOS8中有新的回调函数。
不推荐使用:
connection:canAuthenticateAgainstProtectionSpace:
connection:didCancelAuthenticationChallenge:
connection:didReceiveAuthenticationChallenge:
需要声明以下内容:
connectionShouldUseCredentialStorage:- 用于确定URL加载器是否应使用凭据存储来验证连接。
connection:willSendRequestForAuthenticationChallenge:- 告诉代理将发送请求来进行身份验证。
使用 willSendRequestForAuthenticationChallenge,您可以像使用弃用的方法一样使用 challenge,例如:
// Trusting and not trusting connection to host: Self-signed certificate
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
-(void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge方法来替代。 - Andrew R.