如何处理不受信任的服务 URL?
Posted
技术标签:
【中文标题】如何处理不受信任的服务 URL?【英文标题】:How to proceed with a service URL which is untrusted? 【发布时间】:2012-07-26 15:18:45 【问题描述】:我正在使用服务器上的 Web 服务,但证书无效,但我还是想得到响应。 有办法吗?? 这是示例代码:
-(void)createHttpHeaderRequest:(serviceType)type
NSMutableURLRequest * theRequest;
if (type==kServiceTypeTopAccessory)
NSString * test = @"\"GetVehicleInventory\": \"ApplicationArea\": some Json object here";
NSString * final = (__bridge NSString *) CFURLCreateStringByAddingPercentEscapes(kCFAllocatorDefault, (__bridge CFStringRef)test, NULL, CFSTR(":/?#[]@!$&'()*+,;=\""), kCFStringEncodingUTF8);
NSString * sampleReq = [NSString stringWithFormat:@"https://myuntrutsedServer?XML_INPUT=%@",final];
// NSString * final = [sampleReq stringByAddingPercentEscapesUsingEncoding:NSASCIIStringEncoding];
NSLog(@"JSON:%@",sampleReq);
theRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:sampleReq]];
NSLog(@"Request:%@",theRequest);
self.theConnection = [[NSURLConnection alloc]initWithRequest:theRequest delegate:self];
if (self.theConnection)
NSLog(@"Service hit");
-(BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
-(void)connection:(NSURLConnection *)connection didFailWithError:(NSError *)error
NSLog(@"Error%@",error);
- (void)connection:(NSURLConnection *)connection didReceiveResponse:(NSURLResponse *)response
NSLog(@"Reached here");
我在 didFailWithError 方法中收到此错误:NSLocalizedDescription=此服务器的证书无效。您可能正在连接到伪装成“209.112.58.126”的服务器,这可能会使您的机密信息面临风险。,NSUnderlyingError=0x6877b40“此服务器的证书无效。您可能正在连接到伪装成的服务器是“209.112.58.126”,这可能会使您的机密信息面临风险。", NSURLErrorFailingURLPeerTrustErrorKey=
谢谢,
【问题讨论】:
连接到这些站点是一个巨大的安全风险,除非您只有这个站点的一个例外,并且只有这个站点。如果没有,假设这是分布式的,很多人会很痛苦 【参考方案1】:我通过这样做修复了它:
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
享受!!!
【讨论】:
这些提到的委托方法没有被调用..我不知道我已经导入 /* NSURLConnectionDelegate */【参考方案2】:这是我从 Apple 的 AdvancedURLConnections 示例代码中提取的:
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
// Verify certificate:
SecTrustResultType trustResult;
OSStatus status = SecTrustEvaluate(challenge.protectionSpace.serverTrust, &trustResult);
BOOL trusted = (status == errSecSuccess) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));
if (trusted)
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]
forAuthenticationChallenge:challenge];
else
if (user_wants_to_trust_invalid_certificates)
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]
forAuthenticationChallenge:challenge];
else
[challenge.sender cancelAuthenticationChallenge:challenge];
else
[challenge.sender performDefaultHandlingForAuthenticationChallenge:challenge];
注意:正如 mbm30075 正确指出的那样,此代码进入
connection:didReceiveAuthenticationChallenge:
从ios 5开始,可以使用委托功能
connection:willSendRequestForAuthenticationChallenge:
相反。您必须将安全框架添加到您的项目中才能编译。
【讨论】:
您的答案中缺少重要信息:1)此代码进入连接:didReceiveAuthenticationChallenge,2)您必须将安全框架添加到您的项目中并将其导入您的代码中以使用 SecTrustEvaluate。除此之外,很好的例子!谢谢! @mbm30075:感谢您的反馈。其实你可以在willSendRequestForAuthenticationChallenge:中做到这一点,它取代了iOS 5中的其他委托函数canAuthenticateAgainstProtectionSpace:和didReceiveAuthenticationChallenge:。我会相应地更新答案。
不知道!感谢更新。这对我来说是一个朦胧的领域,但它变得越来越清晰!以上是关于如何处理不受信任的服务 URL?的主要内容,如果未能解决你的问题,请参考以下文章
如何处理不安全的 XMLHttpRequest 端点 [重复]