Moya信任自签名证书
问题
先说说HTTPS握手,
发送HTTPS请求首先要进行SSL/TLS握手,握手过程大致如下:
* 客户端发起握手请求,携带随机数、支持算法列表等参数。
* 服务端收到请求,选择合适的算法,下发公钥证书和随机数。
* 客户端对服务端证书进行校验,并发送随机数信息,该信息使用公钥加密。
* 服务端通过私钥获取随机数信息。
* 双方根据以上交互的信息生成session ticket,用作该连接后续数据传输的加密密钥。
第3步中,客户端需要验证服务端下发的证书,验证过程有以下两个要点:
* 客户端用本地保存的根证书解开证书链,确认服务端下发的证书是由可信任的机构颁发的。
* 客户端需要检查证书的domain域和扩展域,看是否包含本次请求的host。
如果上述两点都校验通过,就证明当前的服务端是可信任的,否则就是不可信任,应当中断当前连接。
当客户端直接使用IP地址发起请求时,请求URL中的host会被替换成HTTPDNS解析出来的IP,所以在证书验证的第2步,会出现domain不匹配的情况,导致SSL/TLS握手不成功。
解决办法
关闭Https的证书认证
验证自签名证书,CN 是否合法
方法一:
```
/// 关闭https认证
let serverTrustPolicies: [String: ServerTrustPolicy] = [
“172.16.88.106”: .disableEvaluation
]
let manager = Manager(
configuration: URLSessionConfiguration.default,
serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
)
let provider = MoyaProvider(manager: manager, plugins: [NetworkLoggerPlugin(verbose: true)])
方法一是一种变通实现的方法,它直接关闭了Https的Domain验证,虽然可以请求正常进行,但是如果在客户端和服务器之间增加代理,请求发送时代理替换证书,那么代理就可以轻易拿到请求的数据,出于安全考虑并不推荐这种做法。
方法二:
ServerTrustPolicy枚举中使用pinCertificates。
case pinCertificates(certificates: [SecCertificate], validateCertificateChain: Bool, validateHost: Bool)
```
传入自签名证书信息。
KingFisher信任Host方法
KingFisher
A lightweight, pure-Swift library for downloading and caching images from the web.
https://github.com/onevcat/Kingfisher
//取出downloader单例
let downloader = KingfisherManager.shared.downloader
//信任ip为106的Server
downloader.trustedHosts = Set(["172.16.88.106"])
//使用KingFisher给ImageView赋网络图片
iconView.kf.setImage(with: iconUrl)
网友评论
错误信息如下:
017-11-17 20:12:15.270701+0800 yiyue[65880:4380145] CredStore - copyIdentPrefs - Error copying Identity cred. Error=-25300, query={
class = idnt;
labl = "https://app200.yiban1314.com:443/";;
"r_Ref" = 1;
}
Moya_Logger: [17/11/2017 20:12:15] Response: Received empty network response for MsgRule("2").
underlying(Alamofire.AFError.responseValidationFailed(Alamofire.AFError.ResponseValidationFailureReason.unacceptableStatusCode(400)), Optional(Status Code: 400, Data Length: 238))
``` swift
let cerPath = Bundle.main.path(forResource: "server", ofType: "cer")
let localCertificate = NSData(contentsOfFile: cerPath!)
let certificates = [SecCertificateCreateWithData(nil, localCertificate!)!]
let serverTrustPolicy = ServerTrustPolicy.pinCertificates(
certificates: certificates,
validateCertificateChain: true,
validateHost: false
)
let serverTrustPolicies :[String:ServerTrustPolicy] = ["app200.yiban1314.com" : serverTrustPolicy]
let serverTrustPolicyManager = ServerTrustPolicyManager(policies: serverTrustPolicies)
let manager = Manager(
configuration: URLSessionConfiguration.default,
delegate: SessionDelegate(),
serverTrustPolicyManager: serverTrustPolicyManager
)
let rxProvider = MoyaProvider<UserAPI>(manager: manager,
plugins: [NetworkLoggerPlugin(verbose: true)])
rxProvider.rx.request(.MsgRule(to_user_id:"2"))
//.debug()
.mapJSON()
.subscribe { event in
switch event {
case let .success(response):
debugPrint(response)
break
case let .error(error):
print(error)
break
}
}
```
```
Moya_Logger: [17/11/2017 17:57:17] HTTP Request Method: POST
Moya_Logger: [17/11/2017 17:57:17] Request Body: channel=007&platform_info=iPhone8&platform_type=2&sign=95a46c89928dbf29f406c3f45adadf14×tamp=1510912637060&to_user_id=2&user_id=2&version_id=001
2017-11-17 17:57:17.231899+0800 yiyue[60670:3896654] CredStore - copyIdentPrefs - Error copying Identity cred. Error=-25300, query={
class = idnt;
labl = "https://app200.yiban1314.com:443/";;
"r_Ref" = 1;
}
Moya_Logger: [17/11/2017 17:57:17] Response: Received empty network response for MsgRule("2").
underlying(Alamofire.AFError.responseValidationFailed(Alamofire.AFError.ResponseValidationFailureReason.unacceptableStatusCode(400)), Optional(Status Code: 400, Data Length: 238))
```