I'm trying to figure out what iOS' policy is when verifying certificates using Security.Framework regarding revocation of certificates.
I cannot find information about this in the docs for iOS.
In the context of an iPad project I'm working on at the moment, there is reason to demand checking revocation status for some certs. Anyone ideas on how to force CRL / OCSP checking during cert verification using Security.Framework? Or do I need to "fall back" to OpenSSL to accomplish this?
It seems that also on Mac OS X 10.6 CRL / OCSP checks are done optionally and have to be turned on manually through Keychain Access.
Martijn
解决方案
I have an answer to this question by Apple guys, I posted the full answer here:
To sum it up, there are several things to keep in mind for OCSP implementation on iOS:
OCSP policy cannot be configured at this moment
it works for the EV certificates only
high-level stuff, such as NSURLConnection or UIWebView use TLS security policy, which uses OCSP
SecTrustEvaluate is a blocking network operation
it works the "best attempt" - if OCSP server cannot be contacted, the trust evaluation will not fail
826
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
