我想通过一些额外的检查来验证我的ssl服务器证书.有时我会得到一个
kSecTrustResultRecoverableTrustFailure
代替
kSecTrustResultProceed 要么 kSecTrustResultUnspecified
似乎发生了
SecTrustSetAnchorCertificatesOnly(trust,YES)
设置和锚证书只是在内置的锚证书这取决于用于评估信任的AppleX509TP策略.
我的问题是如果链失败我不想信任,但我想相信如果使用MD5.
有没有办法找出评估失败的原因?
作为一种替代方法是有一种方法CSSM_ALGID_MD5从一个SecCertificateRef?
我把Apache Server使用的.cer证书放在Xcode项目中.当应用程序尝试与服务器通信时,我在Xcode中收到此错误:
Assertion failure in id AFPublicKeyForCertificate(NSData *__strong)(),
/Users/../ProjectName/AFNetworking/AFSecurityPolicy.m:52
*** Terminating app due to uncaught exception 'NSInternalInconsistencyException',
reason: 'Invalid parameter not satisfying: allowedCertificate'
以下是调用服务器的代码:
AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager];
manager.responseSerializer = [AFJSONResponseSerializer serializer];
[self setSecurityPolicy:[AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]];
[manager POST:@"https://www.example.com/" parameters:params success:^(AFHTTPRequestOperation *operation, id responseObject) {
//success
} failure:^(AFHTTPRequestOperation *operation, NSError *error) {
//failure
}];
我没有运气将固定模式更改为AFSSLPinningModeCertificate.
当我删除这一行:
[self setSecurityPolicy:[AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]];
服务器响应错误消息:
"The operation couldn't be completed. (NSURLErrorDomain error -1012.)"
证书是使用OpenSSL创建的,我甚至尝试过StartSSL.com的免费证书
至于Apache Server端,这里是虚拟主机配置:
# My custom host
<VirtualHost *:443>
ServerName www.example.com
DocumentRoot "/path/to/folder" …