ios9 self signed certificate and app transport security

问题:

I've spent a while trying to get this working. I have an API that I'm connecting to that i'm trying to switch to SSL with self signed certificates. I have control on the server and app.

I generated a self signed cert according to this:

https://kyup.com/tutorials/create-ssl-certificate-nginx/

sudo openssl genrsa -des3 -out ssl.key 2048 sudo openssl req -new -key ssl.key -out ssl.csr sudo cp ssl.key ssl.key.orig & sudo openssl rsa -in ssl.key.orig -out ssl.key sudo openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt 

I've tried some config options on the server (NGINX)

ssl on; ssl_certificate /etc/nginx/ssl/ssl.crt; ssl_certificate_key /etc/nginx/ssl/ssl.key; ssl_session_timeout 5m; ssl_protocols  SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; #ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; ssl_prefer_server_ciphers on; 

And on the client side I've tried some different options with ATS:

<key>NSAppTransportSecurity</key> <dict>     <key>NSAllowsArbitraryLoads</key>     <true/> </dict> 

and

<key>NSAppTransportSecurity</key> <dict>     <key>NSAllowsArbitraryLoads</key>     <true/>     <key>NSExceptionDomains</key>     <dict>         <key>test.example.com (NOT REALLY MY DOMAIN)</key>         <dict>             <key>NSExceptionAllowsInsecureHTTPLoads</key>             <true/>         </dict>     </dict> </dict> 

and

<key>NSAppTransportSecurity</key> <dict>     <key>NSAllowsArbitraryLoads</key>     <true/>     <key>NSExceptionDomains</key>     <dict>         <key>test.example.com (NOT REALLY MY DOMAIN)</key>         <dict>             <key>NSExceptionAllowsInsecureHTTPLoads</key>             <true/>             <key>NSExceptionRequiresForwardSecrecy</key>             <false/>             <key>NSExceptionMinimumTLSVersion</key>             <string>TLSv1.1</string>         </dict>     </dict> </dict> 

Depending on different ATS options I get errors:

An SSL error has occurred and a secure connection to the server cannot be made. 

or

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813) The certificate for this server is invalid. You might be connecting to a server that is pretending to be “MYDOMAIN” which could put your confidential information at risk. 

Any ideas? Anyone else struggle with self signed certs?

P.S. I'm on OS X 10.11.2 Beta, Xcode 7.1.1

回答1:

I figured out the issue. It has nothing to do with App Transport Security. I had to make sure that iOS trusts the certificate since it's not from a trusted authority.

The old school way of doing this by overriding NSURLRequest.allowsAnyHTTPSCertificateForHost doesn't work.

Since i'm using NSURLSession you have to do it with this:

- (id) init {     self = [super init];     NSURLSessionConfiguration * config = [NSURLSessionConfiguration defaultSessionConfiguration];     self.session = [NSURLSession sessionWithConfiguration:config delegate:self delegateQueue:[NSOperationQueue mainQueue]];     return self; }  - (void) URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler {     completionHandler(NSURLSessionAuthChallengeUseCredential,[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); } 

回答2:

just need add .cer to SecTrust

func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) {      if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) {         if let trust = challenge.protectionSpace.serverTrust,            let pem = Bundle.main.path(forResource: "https", ofType: "cer"),            let data = NSData(contentsOfFile: pem),            let cert = SecCertificateCreateWithData(nil, data) {             let certs = [cert]             SecTrustSetAnchorCertificates(trust, certs as CFArray)              completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust: trust))             return         }     }      // Pinning failed     completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil) } 

文章来源: ios9 self signed certificate and app transport security