对于https 使用自签名证书,我有如下几个疑问:
1.网上看的资料对于自签名证书都需要在客户端倒入证书,然后验证证书的,如果不验证证书,直接使用发过来的发过来的凭证进行通信有什么风险和问题?
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
//1)获取trust object
SecTrustRef trust = challenge.protectionSpace.serverTrust;
NSURLCredential *cred = [NSURLCredential credentialForTrust:trust];
[challenge.sender useCredential:cred forAuthenticationChallenge:challenge];
}我经常在网上看到这样一段代码,你觉得这段代码是怎样验证的?
NSURLSessionAuthChallengeDisposition disposition = NSURLSessionAuthChallengePerformDefaultHandling;
__block NSURLCredential *credential = nil;
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
disposition = NSURLSessionAuthChallengeUseCredential;
credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
} else {
disposition = NSURLSessionAuthChallengePerformDefaultHandling;
}
if (completionHandler) {
completionHandler(disposition, credential);
}
1、不验证证书,直接请求都是有问题的哦
2、那边是先判断其证书服务器是否可信任的,然后再对证书做出相应的的处理方式。具体的可看 iOS HTTPs。