1. 首页
  2. 问答
  3. Alamofire ServerTrustPolicy始终无效ServerTrust

Alamofire ServerTrustPolicy始终无效ServerTrust

2015-08-29 42 views
0

我使用Alamofire上雨燕2.0和实施ServerTrustPolicy我的本地服务器,你可以在这里看到:Alamofire ServerTrustPolicy始终无效ServerTrust

let defaultManager: Alamofire.Manager = { 
    let serverTrustPolicies: [String: ServerTrustPolicy] = [ 
//  "localhost": .PinCertificates(
//   certificates: ServerTrustPolicy.certificatesInBundle(), 
//   validateCertificateChain: false, 
//   validateHost: false 
//  ) 
     "localhost": .DisableEvaluation 
    ] 

    let configuration = NSURLSessionConfiguration.defaultSessionConfiguration() 
    configuration.HTTPAdditionalHeaders = Alamofire.Manager.defaultHTTPHeaders 

    return Alamofire.Manager(
     configuration: configuration, 
     serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies) 
    ) 
}()

问题是,当我一个请求我总是得到相同的错误不管我用.PinCertificates或.DisableEvaluation:

Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." 
UserInfo={ 
    NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x60c00004d980>, 
    NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, 
    _kCFStreamErrorDomainKey=3, 
    _kCFStreamErrorCodeKey=-9802, 
    NSErrorPeerCertificateChainKey=<CFArray 0x6060001498a0 [0x10bb3c7b0]>{ 
    type = immutable, count = 1, values = (
    0 : <cert(0x61600006ed80) s: localhost i: localhost> 
    )}, 
    NSUnderlyingError=0x6040000ad750 { 
    Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" 
    UserInfo={ 
     _kCFStreamPropertySSLClientCertificateState=0, 
     kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x60c00004d980>, 
     _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, 
     _kCFStreamErrorDomainKey=3, 
     _kCFStreamErrorCodeKey=-9802, 
     kCFStreamPropertySSLPeerCertificates=<CFArray 0x6060001498a0 [0x10bb3c7b0]>{ 
     type = immutable, count = 1, values = (
      0 : <cert(0x61600006ed80) s: localhost i: localhost> 
     )} 
    } 
    }, 
    NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., 
    NSErrorFailingURLKey=https://localhost:3000/auth/requestToken?auth_appId=d018ccd505db2cb1d5aacabb03fc2f3a, 
    NSErrorFailingURLStringKey=https://localhost:3000/auth/requestToken?auth_appId=d018ccd505db2cb1d5aacabb03fc2f3a, 
    NSErrorClientCertificateStateKey=0 
}

我尝试使用

curl --cacert ./ca.pem https://localhost:3000

会抛出工程只是罚款

我用我这样生成的自签名证书:

  1. 创建根CA私钥

    openssl genrsa -out ca.key.pem 2048

  2. 自签我的根CA

    openssl req -x509 -new -nodes -key ca.key.pem -days 1024 -out ca.crt.pem

  3. 创建服务器证书通过生成密钥,那么企业社会责任,然后用CA签署它

    openssl genrsa -out server.key.pem 2048 
openssl req -new -key server.key.pem -out server.csr.pem 
openssl x509 -req -in server.csr.pem -CA ca.crt.pem -CAkey ca.key.pem -CAcreateserial -out server.crt.pem -days 500

我用的NodeJS的HTTPS模块作为我的Web服务器,我配置是这样的:

require('ssl-root-cas') 
    .inject() 
    .addFile('./ca.crt.pem'); 

var privateKey = fs.readFileSync('./server.key.pem'); 
var certificate = fs.readFileSync('./server.crt.pem'); 
var credentials = { key: privateKey, cert: certificate }; 

var server = https.createServer(credentials, app); 
server.listen(port);

我看看入Alamofire源代码,结果发现,在委托方法:

public func URLSession(
     session: NSURLSession, 
     didReceiveChallenge challenge: NSURLAuthenticationChallenge, 
     completionHandler: ((NSURLSessionAuthChallengeDisposition, NSURLCredential?) -> Void)) 
{ 
    var disposition: NSURLSessionAuthChallengeDisposition = .PerformDefaultHandling 
    var credential: NSURLCredential? 

    if let sessionDidReceiveChallenge = sessionDidReceiveChallenge { 
     (disposition, credential) = sessionDidReceiveChallenge(session, challenge) 
    } else if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust { 
     let host = challenge.protectionSpace.host 

     if let 
      serverTrustPolicy = session.serverTrustPolicyManager?.serverTrustPolicyForHost(host), 
      serverTrust = challenge.protectionSpace.serverTrust 
     { 
      if serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host) { 
       disposition = .UseCredential 
       credential = NSURLCredential(forTrust: serverTrust) 
      } else { 
       disposition = .CancelAuthenticationChallenge 
      } 
     } 
    } 

    completionHandler(disposition, credential) 
}

serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)呼叫实际上retur ns true。这意味着错误可能在completionHandler代码中发生,对吗?

我在处理证书的东西时做得很糟糕吗?

PS:defaultManager不beeing释放:)

来源

2015-08-29 iMoritz

回答

0

首先,确保你的defaultManager没有被释放。如果是的话,你总能得到-999。这就是说,如果您使用.DisableEvaluation,那么我会认为您的SSL配置服务器端存在一些更大的问题。

您是否能够成功控制您的Web服务?

我会根据您提供的更多信息更新我的答案。

来源

2015-08-31 04:54:09 cnoon

+0

我添加了一些关于如何创建证书的信息,使用curl进行测试以及如何设置我的网络服务器:) – iMoritz

+0

我最好的猜测是你没有与Alamofire有任何问题。你的问题是,你的服务器上的证书配置似乎没有设置完全正确。我不是设置服务器端证书配置的专家,所以我建议您在Stack Overflow上打开一个新的问题,这个问题仅适用于设置证书配置服务器端。一旦你有这个工作,我假设Alamofire'ServerTrustPolicies'将开始工作。如果没有,我很乐意帮你调试。祝你好运! – cnoon

+0

我得到了在curl中工作的ssl东西..事实证明,我在生成证书时犯了一个错误。我用新问题更新了这个问题 – iMoritz

相关问题

 相关问题