对于https 使用自签名证书,我有如下几个疑问:
1.网上看的资料对于自签名证书都需要在客户端倒入证书,然后验证证书的,如果不验证证书,直接使用发过来的发过来的凭证进行通信有什么风险和问题?
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
//1)获取trust object
SecTrustRef trust = challenge.protectionSpace.serverTrust;
NSURLCredential *cred = [NSURLCredential credentialForTrust:trust];
[challenge.sender useCredential:cred forAuthenticationChallenge:challenge];
}
我经常在网上看到这样一段代码,你觉得这段代码是怎样验证的?
NSURLSessionAuthChallengeDisposition disposition = NSURLSessionAuthChallengePerformDefaultHandling;
__block NSURLCredential *credential = nil;
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
disposition = NSURLSessionAuthChallengeUseCredential;
credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
} else {
disposition = NSURLSessionAuthChallengePerformDefaultHandling;
}
if (completionHandler) {
completionHandler(disposition, credential);
}
1. Permintaan langsung tanpa mengesahkan sijil adalah bermasalah
2 Pihak lain terlebih dahulu menentukan sama ada pelayan sijil boleh dipercayai, dan kemudian mengendalikan sijil dengan sewajarnya. Lihat HTTP iOS untuk mendapatkan butiran.