剛踩的AFN配置Https證書的小坑

項(xiàng)目中使用的YTKNetwork,配置https證書的時(shí)候

YTKNetworkConfig *config = [YTKNetworkConfig sharedConfig];
config.baseUrl = RootUrl;
NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"xxx" ofType:@"cer"];//證書的路徑
NSData *certData = [NSData dataWithContentsOfFile:cerPath];
config.securityPolicy.pinnedCertificates = [NSSet setWithObject:certData];
config.securityPolicy.allowInvalidCertificates = YES;
config.securityPolicy.validatesDomainName = YES;

就是copy原來封裝AFN時(shí)候的設(shè)置,原來設(shè)置的代碼是這樣的

NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"xxx" ofType:@"cer"];
NSData * certData =[NSData dataWithContentsOfFile:cerPath];
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey];
securityPolicy.allowInvalidCertificates = YES ;
securityPolicy.validatesDomainName = YES ;
[securityPolicy setPinnedCertificates:[NSSet setWithObject:certData]];
manger.securityPolicy = securityPolicy;

結(jié)果項(xiàng)目跑起來的時(shí)候,接口不通,打印錯(cuò)誤
In order to validate a domain name for self signed certificates, you MUST use pinning.
這個(gè)錯(cuò)誤的打印是在AFN的AFSecurityPolicy這個(gè)類里面打印的

- (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust
                  forDomain:(NSString *)domain
{
    if (domain && self.allowInvalidCertificates && self.validatesDomainName && (self.SSLPinningMode == AFSSLPinningModeNone || [self.pinnedCertificates count] == 0)) {
        // https://developer.apple.com/library/mac/documentation/NetworkingInternet/Conceptual/NetworkingTopics/Articles/OverridingSSLChainValidationCorrectly.html
        //  According to the docs, you should only trust your provided certs for evaluation.
        //  Pinned certificates are added to the trust. Without pinned certificates,
        //  there is nothing to evaluate against.
        //
        //  From Apple Docs:
        //          "Do not implicitly trust self-signed certificates as anchors (kSecTrustOptionImplicitAnchors).
        //           Instead, add your own (self-signed) CA certificate to the list of trusted anchors."
        NSLog(@"In order to validate a domain name for self signed certificates, you MUST use pinning.");
        return NO;
    }

就是因?yàn)槲疫@種設(shè)置的時(shí)候SSLPinningMode這個(gè)屬性默認(rèn)是AFSSLPinningModeNone,正好滿足了驗(yàn)證不通過條件了,所以
allowInvalidCertificates
validatesDomainName
SSLPinningMode
這三個(gè)屬性設(shè)置起來有點(diǎn)矛盾,如果前兩個(gè)都是YES了那SSLPinningMode就不能用默認(rèn)的AFSSLPinningModeNone
反正就是不能滿足這個(gè)驗(yàn)證方法里面的第一個(gè)if條件
就這樣!

貼一篇iOS安全策略之HTTPS
[https://www.imooc.com/article/254196]

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

友情鏈接更多精彩內(nèi)容