ios 中使用https的知识

时间:2023-03-08 17:07:07

先看文章,这篇文章说的是使用AFNetworing进行https时的事项,十分好!http://blog.cnbang.net/tech/2416/

ios中使用https,主要就是使用NSURLCredential,先看些必要的官方文档:

NSURLCredential is an immutable object representing an authentication credential consisting of authentication information specific to the type of credential and the type of persistent storage to use, if any.

The URL loading system supports three types of credentials: password-based user credentials, certificate-based user credentials, and certificate-based server credentials (used when verifying the server’s identity).

When you create a credential, you can specify that it should be used for a single request, persisted temporarily (until your app quits), or persisted permanently (in the keychain).

虽然credentials 有许多种,但是针对URL来说,只有3种!

因此有3个初始化方法:

+ credentialForTrust:
+ credentialWithUser:password:persistence:
+ credentialWithIdentity:certificates:persistence:

另外,要参看URL Session Programming Guide中的认证部分:

To attempt to authenticate, the application should create an NSURLCredential object with authentication information of the form expected by the server. You can determine the server’s authentication method by calling authenticationMethod on the protection space of the provided authentication challenge. Some authentication methods supported by NSURLCredential are:

HTTP basic authentication (NSURLAuthenticationMethodHTTPBasic) requires a user name and password. Prompt the user for the necessary information and create an NSURLCredential object with credentialWithUser:password:persistence:.


HTTP digest authentication (NSURLAuthenticationMethodHTTPDigest), like basic authentication, requires a user name and password. (The digest is generated automatically.) Prompt the user for the necessary information and create an NSURLCredential object with credentialWithUser:password:persistence:.


Client certificate authentication (NSURLAuthenticationMethodClientCertificate) requires the system identity and all certificates needed to authenticate with the server. Create an NSURLCredential object with credentialWithIdentity:certificates:persistence:.


Server trust authentication (NSURLAuthenticationMethodServerTrust) requires a trust provided by the protection space of the authentication challenge. Create an NSURLCredential object with credentialForTrust:.
After you’ve created the NSURLCredential object: For NSURLSession, pass the object to the authentication challenge’s sender using the provided completion handler block.
For NSURLConnection and NSURLDownload, pass the object to the authentication challenge’s sender with useCredential:forAuthenticationChallenge:.

在使用AFNetworking3.0时,如果你访问的是自签名的https地址,那么会要求你把网站的自签名证书加入到工程里,用来验证网站证书。如果你没有这个证书,会报错:

In order to validate a domain name for self signed certificates, you MUST use pinning.

这个pinning,指的是证书锁定,意思就是只有client包含的证书和服务器的证书一致时,才能通过验证。

AFnetworking 3.0 好像默认会去 程序中寻找所有cer文件,并找符合要求的。也有准确指定的方法:

    AFSecurityPolicy * securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];

    securityPolicy.allowInvalidCertificates = YES;

 NSString *certificatePath = [[NSBundle mainBundle] pathForResource:@"tomcat" ofType:@"cer"];
NSData *certificateData = [NSData dataWithContentsOfFile:certificatePath]; NSSet *certificateSet = [[NSSet alloc] initWithObjects:certificateData, nil];
[securityPolicy setPinnedCertificates:certificateSet]; manager.securityPolicy = securityPolicy;

这样做的目的就是安全。

系统自带的nsurlsession的证书验证没有这么严格,它把更多的验证任务交给了程序员,如果你自己不去调用其他函数加强验证,系统也不会强制你使用!