使用AFNetworking和SSL綁定實(shí)現(xiàn)安全連接
1. SSL Pinning
SSL pinning, 即證書(shū)綁定. 通過(guò)SSL證書(shū)綁定來(lái)驗(yàn)證服務(wù)器身份, 防止應(yīng)用被抓包.
2. 獲取證書(shū)
客戶端需要配置證書(shū) .cer.
-
.pem轉(zhuǎn).cer
openssl x509 -inform PEM -in name.pem -outform DER -out name.cer
-
.crt轉(zhuǎn).cer
openssl x509 -in name.crt -out name.cer -outform der
- 從服務(wù)器下載證書(shū)
openssl s_client -connect www.website.com:443 </dev/null 2>/dev/null | openssl x509 -outform DER > myWebsite.cer
3.設(shè)置證書(shū)
enum {
AFSSLPinningModeNone,
AFSSLPinningModePublicKey,
AFSSLPinningModeCertificate,
}
- SSLPinningMode
AFSSLPinningModeNone:完全信任
AFSSLPinningModePublicKey:只校驗(yàn)服務(wù)器證書(shū)和本地證書(shū)的Public Key是否一致.
AFSSLPinningModeCertificate:校驗(yàn)服務(wù)器證書(shū)和本地證書(shū)的所有內(nèi)容(如果證書(shū)過(guò)期, 需要更新客戶端證書(shū)).
+ (AFHTTPSessionManager *)manager
{
static AFHTTPSessionManager *manager = nil;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
NSURLSessionConfiguration *config = [NSURLSessionConfiguration defaultSessionConfiguration];
manager = [[AFHTTPSessionManager alloc] initWithSessionConfiguration:config];
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey withPinnedCertificates:[AFSecurityPolicy certificatesInBundle:[NSBundle mainBundle]]];
manager.securityPolicy = securityPolicy;
});
return manager;
}
