防止抓包 - ssl pinning

使用AFNetworking和SSL绑定实现安全连接

1. SSL Pinning

SSL pinning, 即证书绑定. 通过SSL证书绑定来验证服务器身份, 防止应用被抓包.

2. 获取证书

客户端需要配置证书 .cer.

• .pem转.cer

openssl x509 -inform PEM -in name.pem -outform DER -out name.cer

• .crt转.cer

openssl x509 -in name.crt -out name.cer -outform der

• 从服务器下载证书

openssl s_client -connect www.website.com:443 /dev/null | openssl x509 -outform DER > myWebsite.cer

3.设置证书

 enum {
 AFSSLPinningModeNone,
 AFSSLPinningModePublicKey,
 AFSSLPinningModeCertificate,
 }

• SSLPinningMode
  AFSSLPinningModeNone:完全信任
  AFSSLPinningModePublicKey:只校验服务器证书和本地证书的Public Key是否一致.
  AFSSLPinningModeCertificate:校验服务器证书和本地证书的所有内容(如果证书过期, 需要更新客户端证书).

+ (AFHTTPSessionManager *)manager
{
    static AFHTTPSessionManager *manager = nil;
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
    
        NSURLSessionConfiguration *config = [NSURLSessionConfiguration defaultSessionConfiguration];
        manager =  [[AFHTTPSessionManager alloc] initWithSessionConfiguration:config];

        AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey withPinnedCertificates:[AFSecurityPolicy certificatesInBundle:[NSBundle mainBundle]]];
        manager.securityPolicy = securityPolicy;
    });
    return manager;
}