如何使用NSURLConnection与SSL连接以获得不受信任的证书?

最新推荐文章于 2022-01-12 11:05:09 发布
最新推荐文章于 2022-01-12 11:05:09 发布
阅读量779 收藏
点赞数
文章标签: ios objective-c https ssl-certificate app-transport-security
原文链接:https://oldbug.net/q/3unj/How-to-use-NSURLConnection-to-connect-with-SSL-for-an-untrusted-cert
版权

本文翻译自:How to use NSURLConnection to connect with SSL for an untrusted cert?

I have the following simple code to connect to a SSL webpage 我有以下简单的代码可以连接到SSL网页 

NSMutableURLRequest *urlRequest=[NSMutableURLRequest requestWithURL:url];
[ NSURLConnection sendSynchronousRequest: urlRequest returningResponse: nil error: &error ];

Except it gives an error if the cert is a self signed one Error Domain=NSURLErrorDomain Code=-1202 UserInfo=0xd29930 "untrusted server certificate". 如果证书是自签名的,则会给出一个错误, Error Domain=NSURLErrorDomain Code=-1202 UserInfo=0xd29930 "untrusted server certificate". Is there a way to set it to accept connections anyway (just like in a browser you can press accept) or a way to bypass it? 是否有一种方法可以将其设置为始终接受连接(就像在浏览器中可以按accept一样),还是可以绕过它?

#1楼

参考:https://stackoom.com/question/3unj/如何使用NSURLConnection与SSL连接以获得不受信任的证书

#2楼

If you want to keep using sendSynchronousRequest i work in this solution: 如果您想继续使用sendSynchronousRequest我可以在以下解决方案中工作: 

FailCertificateDelegate *fcd=[[FailCertificateDelegate alloc] init];

NSURLConnection *c=[[NSURLConnection alloc] initWithRequest:request delegate:fcd startImmediately:NO];
[c setDelegateQueue:[[NSOperationQueue alloc] init]];
[c start];    
NSData *d=[fcd getData];

you can see it here: Objective-C SSL Synchronous Connection 您可以在这里看到它: Objective-C SSL同步连接

#3楼

There is a supported API for accomplishing this! 有支持的API可以完成此任务! Add something like this to your NSURLConnection delegate: 在您的NSURLConnection委托中添加以下内容: 

- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
  return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
  if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
    if ([trustedHosts containsObject:challenge.protectionSpace.host])
      [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];

  [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
}

Note that connection:didReceiveAuthenticationChallenge: can send its message to challenge.sender (much) later, after presenting a dialog box to the user if necessary, etc. 请注意, connection:didReceiveAuthenticationChallenge:可以在向用户显示对话框后(稍后)将其消息稍后发送给Challenge.sender(等等)。

#4楼

To complement the accepted answer, for much better security, you could add your server certificate or your own root CA certificate to keychain( https://stackoverflow.com/a/9941559/1432048 ), however doing this alone won't make NSURLConnection authenticate your self-signed server automatically. 为了补充已接受的答案,为了提高安全性,您可以将服务器证书或您自己的根CA证书添加到钥匙串( https://stackoverflow.com/a/9941559/1432048 ),但是仅执行此操作不会使NSURLConnection有效自动验证您的自签名服务器。 You still need to add the below code to your NSURLConnection delegate, it's copied from Apple sample code AdvancedURLConnections , and you need to add two files(Credentials.h, Credentials.m) from apple sample code to your projects. 您仍然需要将以下代码添加到您的NSURLConnection委托中,它是从Apple示例代码AdvancedURLConnections复制而来,并且您需要从Apple示例代码向您的项目添加两个文件(Credentials.h,Credentials.m)。 

- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
//        if ([trustedHosts containsObject:challenge.protectionSpace.host])

    OSStatus                err;
    NSURLProtectionSpace *  protectionSpace;
    SecTrustRef             trust;
    SecTrustResultType      trustResult;
    BOOL                    trusted;

    protectionSpace = [challenge protectionSpace];
    assert(protectionSpace != nil);

    trust = [protectionSpace serverTrust];
    assert(trust != NULL);
    err = SecTrustEvaluate(trust, &trustResult);
    trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));

    // If that fails, apply our certificates as anchors and see if that helps.
    //
    // It's perfectly acceptable to apply all of our certificates to the SecTrust
    // object, and let the SecTrust object sort out the mess.  Of course, this assumes
    // that the user trusts all certificates equally in all situations, which is implicit
    // in our user interface; you could provide a more sophisticated user interface
    // to allow the user to trust certain certificates for certain sites and so on).

    if ( ! trusted ) {
        err = SecTrustSetAnchorCertificates(trust, (CFArrayRef) [Credentials sharedCredentials].certificates);
        if (err == noErr) {
            err = SecTrustEvaluate(trust, &trustResult);
        }
        trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));
    }
    if(trusted)
        [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
}

[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
}

#5楼

I can't take any credit for this, but this one I found worked really well for my needs. 我对此一无所获, 但是我发现这对于我的需求来说确实非常有效。 shouldAllowSelfSignedCert is my BOOL variable. shouldAllowSelfSignedCert是我的BOOL变量。 Just add to your NSURLConnection delegate and you should be rockin for a quick bypass on a per connection basis. 只需添加到您的NSURLConnection委托中,您就可以在每个连接的基础上快速绕开。 

- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)space {
     if([[space authenticationMethod] isEqualToString:NSURLAuthenticationMethodServerTrust]) {
          if(shouldAllowSelfSignedCert) {
               return YES; // Self-signed cert will be accepted
          } else {
               return NO;  // Self-signed cert will be rejected
          }
          // Note: it doesn't seem to matter what you return for a proper SSL cert
          //       only self-signed certs
     }
     // If no other authentication is required, return NO for everything else
     // Otherwise maybe YES for NSURLAuthenticationMethodDefault and etc.
     return NO;
}

#6楼

You have to use NSURLConnectionDelegate to allow HTTPS connections and there are new callbacks with iOS8. 您必须使用NSURLConnectionDelegate来允许HTTPS连接,并且iOS8中有新的回调。

Deprecated: 不推荐使用: 

connection:canAuthenticateAgainstProtectionSpace:
connection:didCancelAuthenticationChallenge:
connection:didReceiveAuthenticationChallenge:

Instead those, you need to declare: 相反,您需要声明:

connectionShouldUseCredentialStorage: - Sent to determine whether the URL loader should use the credential storage for authenticating the connection. connectionShouldUseCredentialStorage: -发送以确定URL加载程序是否应使用凭据存储来验证连接。

connection:willSendRequestForAuthenticationChallenge: - Tells the delegate that the connection will send a request for an authentication challenge. connection:willSendRequestForAuthenticationChallenge: -告知委托人连接将发送身份验证质询的请求。

With willSendRequestForAuthenticationChallenge you can use challenge like you did with the deprecated methods, for example: 通过willSendRequestForAuthenticationChallenge您可以像使用不赞成使用的方法一样使用challenge ,例如: 

// Trusting and not trusting connection to host: Self-signed certificate
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
CHCH998
关注
how to properly setup security connection 1、iOS安全【 SSL证书验证, 让Charles再也无法抓你的请求数据】2、iOS逆向:【绕过证书校验】
iOS逆向与安全
08-12 1万+
效果: 经过appSSL证书验证之后,就是这样子,别人无法获取报文,除非服务器的证书信任Charles的证书前言1、目前采用的是AFSSLPinningModePublicKey 方式验证。 2、 若想采用AFSSLPinningModeCertificate方式验证,请提供正确的cer 证书使用AFSSLPinningModeCertificate 方式验证的时候,获取 DER 表示
NSURLConnection实现HTTPS(SSL)链接请求
u013030990的专栏
04-24 2205
最近检测APP应用的网络请求,发现HTTP方式的接口,请求的数据比较容易让不道德的人截取并加以利用。所以建议接口请求数据的方式还是使用HTTPS(SSL),相对的安全些。 在iOS中,使用NSURLConnection来请求HTTPS,就需要处理SSL认证,NSURLConnectionDelegate中定义了处理认证的方法:
网络:NSURLConnection 使用 HTTPS
CG-L 的技术博客
04-21 744
#import "ViewController.h"@interface ViewController ()<NSURLConnectionDelegate,NSURLConnectionDataDelegate>@end@implementation ViewController- (void)viewDidLoad { [super viewDidLoad]; // Do any
HttpsURLConnection实现SSL的GET/POST请求
qq_44894516的博客
04-11 654
HttpsURLConnection实现SSL的GET/POST请求
URLConnection同步,异步与SSL同步请求
Gabriel的专栏
06-20 4040
NSURLConnection同步,异步与SSL      同步请求         NSURL *url=[[NSURL alloc]initWithString:urlString]; NSMutableURLRequest  *request=[[NSMutableURLRequest alloc]init]; NSError *err=nil; NSData *data=[NS
PublicKeyPinningExample:使用NSURLConnection实现公钥SSL固定的示例
05-12
如果服务器公钥与预期不符,我们将不信任它,也将不会连接使用公钥比检查整个证书具有优势。 证书包含公共密钥,有关证书的信息以及其他密钥。 证书可以经常更改,而证书中的公钥更改的频率要少得多。 如果您...
IOS开发 支持https请求以及ssl证书配置详解
08-31
iOS开发中,为了保障应用的数据安全性和用户隐私,苹果公司自2017年起开始强制要求所有通过网络传输的数据必须使用HTTPS协议。...在实际开发过程中,还要注意及时更新SSL证书,避免因为证书过期导致的连接问题。
IOS,Android SSL双向认证HTTPS方式请求及配置证书
10-14
HTTPS是HTTP协议与SSL/TLS的结合,使得Web服务可以使用加密的连接进行数据传输。而双向认证(Mutual Authentication)则不仅要求服务器验证客户端的身份,同时客户端也需要验证服务器的身份,确保通信双方都是预期的...
Cocoa网络编程基础:NSURLConnectionNSURLSession
通过使用Cocoa框架提供的类和方法,开发者可以轻松地创建网络连接、发送和接收网络数据。 ## 1.2 网络编程在iOS/macOS开发中的重要性 随着移动应用和互联网服务的不断发展,网络编程在iOS和macOS开发中变得越来越...
HttpsURLConnection 跳过ssl访问https
gcno93的博客
01-12 1439
package com.gcno93.tls.nettyssl; import javax.net.ssl.*; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.io.OutputStreamWriter; import java.net.MalformedURLException; import java.net.Socket; import java.net
Java Web 学习笔记之七:HttpsURLConnection实现Https请求发送(基本用法)
johnson_moon的博客
12-11 1591
简单介绍HttpsURLConnection用法
使用HttpsURLConnection或httpclient访问https自签名(无效)证书
牟云飞的博客
03-06 2295
import java.io.BufferedInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.net.URL; import java.security.KeyManagementException; im...
java用HttpURLConnection发起HTTPS请求并跳过SSL证书
lianzhitiger的博客
02-23 9919
package com.ruoyi.common.utils.https; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import java
IOS HTTPS证书问题
Mamong's blog
04-25 2万+
本文节选自 https://gist.github.com/JacksonTian/5855751
https信任证书的三种方式
热门推荐
瑞军的博客
05-24 3万+
苦逼的我调试AFNetworking发送https请求的bug ---------调试了一个上午,终于解决了   证书信任的过程:   证书信任是通过代理的方式进行信任(NSURLConnectionNSURLSession两种方式进行信任) 客户端信任证书的过程: 1.当客户端要访问服务器的时候,服务器向客户端发送受保护的信任证书 2.客户端判断是否对客户端发送的证书进行信任,...
NSURLConnection
superyuan567的博客
02-15 2131
iOS中发送HTTP请求的方案 1.苹果原生 NSURLConnection:用法简单,最古老最经典的一种方案(坑比较多) NSURLSession:功能比NSURLConnection更加强大,苹果目前笔记推荐使用的技术(2013年推出) CFNetwork:纯C语言 2.第三方框架 ASIHttpRequest:早已停止更新 AFNetworking:简单易用,提供了基本够用的常用功能,维护和...
NSURLConnection sendSynchronousRequest 内存泄露
weixin_34318956的博客
01-29 182
2019独角兽企业重金招聘Python工程师标准>>> ...
iOS学习笔记(八)——iOS网络通信http之NSURLConnection
923723914
06-24 204
移动互联网时代,网络通信已是手机终端必不可少的功能。我们的应用中也必不可少的使用了网络通信,增强客户端与服务器交互。这一篇提供了使用NSURLConnection实现http通信的方式。 NSURLConnection提供了异步请求、同步请求两种通信方式。 1、异步请求 iOS5.0 SDK NSURLConnection类新增的sendAsynchronousRequest:...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值