我使用Alamofire上雨燕2.0和实施ServerTrustPolicy我的本地服务器,你可以在这里看到:Alamofire ServerTrustPolicy始终无效ServerTrust
let defaultManager: Alamofire.Manager = {
let serverTrustPolicies: [String: ServerTrustPolicy] = [
// "localhost": .PinCertificates(
// certificates: ServerTrustPolicy.certificatesInBundle(),
// validateCertificateChain: false,
// validateHost: false
// )
"localhost": .DisableEvaluation
]
let configuration = NSURLSessionConfiguration.defaultSessionConfiguration()
configuration.HTTPAdditionalHeaders = Alamofire.Manager.defaultHTTPHeaders
return Alamofire.Manager(
configuration: configuration,
serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
)
}()
问题是,当我一个请求我总是得到相同的错误不管我用.PinCertificates或.DisableEvaluation:
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."
UserInfo={
NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x60c00004d980>,
NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,
_kCFStreamErrorDomainKey=3,
_kCFStreamErrorCodeKey=-9802,
NSErrorPeerCertificateChainKey=<CFArray 0x6060001498a0 [0x10bb3c7b0]>{
type = immutable, count = 1, values = (
0 : <cert(0x61600006ed80) s: localhost i: localhost>
)},
NSUnderlyingError=0x6040000ad750 {
Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)"
UserInfo={
_kCFStreamPropertySSLClientCertificateState=0,
kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x60c00004d980>,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9802,
_kCFStreamErrorDomainKey=3,
_kCFStreamErrorCodeKey=-9802,
kCFStreamPropertySSLPeerCertificates=<CFArray 0x6060001498a0 [0x10bb3c7b0]>{
type = immutable, count = 1, values = (
0 : <cert(0x61600006ed80) s: localhost i: localhost>
)}
}
},
NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.,
NSErrorFailingURLKey=https://localhost:3000/auth/requestToken?auth_appId=d018ccd505db2cb1d5aacabb03fc2f3a,
NSErrorFailingURLStringKey=https://localhost:3000/auth/requestToken?auth_appId=d018ccd505db2cb1d5aacabb03fc2f3a,
NSErrorClientCertificateStateKey=0
}
我尝试使用
curl --cacert ./ca.pem https://localhost:3000
会抛出工程只是罚款
我用我这样生成的自签名证书:
创建根CA私钥
openssl genrsa -out ca.key.pem 2048
自签我的根CA
openssl req -x509 -new -nodes -key ca.key.pem -days 1024 -out ca.crt.pem
创建服务器证书通过生成密钥,那么企业社会责任,然后用CA签署它
openssl genrsa -out server.key.pem 2048 openssl req -new -key server.key.pem -out server.csr.pem openssl x509 -req -in server.csr.pem -CA ca.crt.pem -CAkey ca.key.pem -CAcreateserial -out server.crt.pem -days 500
我用的NodeJS的HTTPS模块作为我的Web服务器,我配置是这样的:
require('ssl-root-cas')
.inject()
.addFile('./ca.crt.pem');
var privateKey = fs.readFileSync('./server.key.pem');
var certificate = fs.readFileSync('./server.crt.pem');
var credentials = { key: privateKey, cert: certificate };
var server = https.createServer(credentials, app);
server.listen(port);
我看看入Alamofire源代码,结果发现,在委托方法:
public func URLSession(
session: NSURLSession,
didReceiveChallenge challenge: NSURLAuthenticationChallenge,
completionHandler: ((NSURLSessionAuthChallengeDisposition, NSURLCredential?) -> Void))
{
var disposition: NSURLSessionAuthChallengeDisposition = .PerformDefaultHandling
var credential: NSURLCredential?
if let sessionDidReceiveChallenge = sessionDidReceiveChallenge {
(disposition, credential) = sessionDidReceiveChallenge(session, challenge)
} else if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
let host = challenge.protectionSpace.host
if let
serverTrustPolicy = session.serverTrustPolicyManager?.serverTrustPolicyForHost(host),
serverTrust = challenge.protectionSpace.serverTrust
{
if serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host) {
disposition = .UseCredential
credential = NSURLCredential(forTrust: serverTrust)
} else {
disposition = .CancelAuthenticationChallenge
}
}
}
completionHandler(disposition, credential)
}
到serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)
呼叫实际上retur ns true。这意味着错误可能在completionHandler代码中发生,对吗?
我在处理证书的东西时做得很糟糕吗?
PS:defaultManager
不beeing释放:)
我添加了一些关于如何创建证书的信息,使用curl进行测试以及如何设置我的网络服务器:) – iMoritz
我最好的猜测是你没有与Alamofire有任何问题。你的问题是,你的服务器上的证书配置似乎没有设置完全正确。我不是设置服务器端证书配置的专家,所以我建议您在Stack Overflow上打开一个新的问题,这个问题仅适用于设置证书配置服务器端。一旦你有这个工作,我假设Alamofire'ServerTrustPolicies'将开始工作。如果没有,我很乐意帮你调试。祝你好运! – cnoon
我得到了在curl中工作的ssl东西..事实证明,我在生成证书时犯了一个错误。我用新问题更新了这个问题 – iMoritz