我在这里看到了一些问题,但没有一个对我有帮助。人们解决的问题主要是重新生成服务器证书:kSecTrustResult RecoverableTrustFailure 的原因是什么? https://stackoverflow.com/questions/7715426/what-is-the-reason-of-ksectrustresultrecoverabletrustfailure/8937798#8937798
假设我需要使用自签名证书与服务器建立 https 连接。我没有来自服务器的任何内部数据例如它的私钥。例如服务器是https://www.pcwebshop.co.uk/ https://www.pcwebshop.co.uk/
据我了解,我可以将客户端证书捆绑到应用程序中并使用它进行验证。我对吗?我可以在没有来自服务器的任何内部数据的情况下获得有效的客户端证书吗?
我在这里用谷歌搜索了一个教程http://www.indelible.org/ink/trusted-ssl-certificates http://www.indelible.org/ink/trusted-ssl-certificates
这是我获取客户端证书的方法
openssl s_client \
-showcerts -connect "${HOST}:443" </dev/null 2>/dev/null | \
openssl x509 -outform DER >"../resources/${HOST}.der"
这是代码(几乎没有改变):
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
{
return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
if ([self shouldTrustProtectionSpace:challenge.protectionSpace]) {
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]
forAuthenticationChallenge:challenge];
} else {
[challenge.sender performDefaultHandlingForAuthenticationChallenge:challenge];
}
}
- (BOOL)shouldTrustProtectionSpace:(NSURLProtectionSpace *)protectionSpace
{
// load up the bundled certificate
NSString *certPath = [[NSBundle mainBundle] pathForResource:protectionSpace.host ofType:@"der"];
if (certPath == nil)
return NO;
OSStatus status;
NSData *certData = [[NSData alloc] initWithContentsOfFile:certPath];
CFDataRef certDataRef = (__bridge_retained CFDataRef)certData;
SecCertificateRef cert = SecCertificateCreateWithData(NULL, certDataRef);
// establish a chain of trust anchored on our bundled certificate
CFArrayRef certArrayRef = CFArrayCreate(NULL, (void *)&cert, 1, NULL);
SecTrustRef serverTrust = protectionSpace.serverTrust;
status = SecTrustSetAnchorCertificates(serverTrust, certArrayRef);
// status == 0
// verify that trust
SecTrustResultType trustResult;
status = SecTrustEvaluate(serverTrust, &trustResult);
// status == 0
CFRelease(certArrayRef);
CFRelease(cert);
CFRelease(certDataRef);
return trustResult == kSecTrustResultUnspecified;
}
trustResult 始终是 kSecTrustResult RecoverableTrustFailure。
我究竟做错了什么?谢谢。
UPDATE:好的,我发现原因是“服务器的证书与URL不匹配”。
是否可以通过忽略服务器证书的 URL(主机名)来从客户端解决问题?