Xamarin WKWebView接受自签名证书

Question

我在网上看到各种示例，说出如何接受它们，但我总是收到SSL错误，并且无法建立与服务器的安全连接。

我会注意到，该方法肯定是被调用的（在iOS 8.4模拟器和iOS 11实际设备上运行），因此未调用该方法不是这里的问题。

到目前为止，我已经尝试过（显然，我仅在开发中而不是在生产中使用此代码，等等等等）：

1：

public override void DidReceiveAuthenticationChallenge(WKWebView webView, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler) {
 completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, new NSUrlCredential(serverTrust));
}

2：

public override void DidReceiveAuthenticationChallenge(WKWebView webView, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler) {
 completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, NSUrlCredential.FromTrust(serverTrust));
}

3：

    public override void DidReceiveAuthenticationChallenge(WKWebView webView, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler) {
        SecTrust serverTrust = challenge.ProtectionSpace.ServerSecTrust;
        NSData exceptions = serverTrust.GetExceptions();
        serverTrust.SetExceptions(exceptions);
        exceptions.Dispose();
        completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, NSUrlCredential.FromTrust(serverTrust));
    }

4：

    public override void DidReceiveAuthenticationChallenge(WKWebView webView, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler) {
        SecTrust serverTrust = challenge.ProtectionSpace.ServerSecTrust;    //TODO: Get the following working (currently we still receive SSL errors)
        NSData exceptions = serverTrust.GetExceptions();
        serverTrust.SetExceptions(exceptions);
        exceptions.Dispose();

        challenge.Sender.UseCredential(NSUrlCredential.FromTrust(serverTrust), challenge);
        completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, NSUrlCredential.FromTrust(serverTrust));
    }

我究竟做错了什么？谢谢。

Answer 1

要支持自签名证书，您需要 做两件事：

1. 允许NSExceptionAllowsInsecureHTTPLoads在您的自签名域上
   • 即使您正在使用https，您的应用程序也被标记为存在信任问题
2. 绕过证书安全性检查

关于2的安全说明：为所有生产应用程序获取由CA颁发的证书，因为这将完全禁用您的域上的证书验证，从而允许进行MITM攻击，对应用程序进行DNS重定向欺骗等等。 cer并根据接收到的证书进行检查，但这仅意味着在MITM或DNS欺骗攻击中需要生成伪造的证书（各种漏洞利用工具包中已经存在的工具）

使用该https://badssl.com站点的示例：

WKNavigationDelegate：

public class NavigationDelegate : WKNavigationDelegate
{
    const string host = "self-signed.badssl.com";
    public override void DidReceiveAuthenticationChallenge(WKWebView webView, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler)
    {
        switch (challenge.ProtectionSpace.Host)
        {
            case host:
                using (var cred = NSUrlCredential.FromTrust(challenge.ProtectionSpace.ServerSecTrust))
                {
                    completionHandler.Invoke(NSUrlSessionAuthChallengeDisposition.UseCredential, cred);
                }
                break;
            default:
                completionHandler.Invoke(NSUrlSessionAuthChallengeDisposition.PerformDefaultHandling, null);
                break;
        }
    }
}

注意：将此类的实例分配给WKWebView实例的NavigationDelegate或WeakNavigationDelegate。

Info.plist NSAppTransportSecurity：

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>self-signed.badssl.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>