ios9使用自签名ssl -9824 -9801

ios里使用了AFNetworking3.0配置如下

1. 将https的公钥证书下载下来,然后转化成ios的der格式:

openssl x509 -outform der -in YOUR.DOMAIN.com.crt -out YOUR.DOMAIN.com.der

将der文件下载下来,放到Bundel里

2. 使用下面的代码初始化你的AFHTTPSessionManager

NSString *certFilePath = [[NSBundle mainBundle] pathForResource:@"YOUR.DOMAIN.com" ofType:@"der"];
        NSData *certData = [NSData dataWithContentsOfFile:certFilePath];
        NSSet *certSet = [NSSet setWithObject:certData];
        AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey withPinnedCertificates:certSet];
        //allowInvalidCertificates 是否允许无效证书(也就是自建的证书),默认为NO
        //如果是需要验证自建证书,需要设置为YES
        securityPolicy.allowInvalidCertificates = YES;
        //validatesDomainName 是否需要验证域名,默认为YES;
        //假如证书的域名与你请求的域名不一致,需把该项设置为NO
        //主要用于这种情况:客户端请求的是子域名,而证书上的是另外一个域名。因为SSL证书上的域名是独立的,假如证书上注册的域名是www.google.com,那么mail.google.com是无法验证通过的;当然,有钱可以注册通配符的域名*.google.com,但这个还是比较贵的。
        securityPolicy.validatesDomainName = YES;
        //validatesCertificateChain 是否验证整个证书链,默认为YES
        //设置为YES,会将服务器返回的Trust Object上的证书链与本地导入的证书进行对比,这就意味着,假如你的证书链是这样的:
        //GeoTrust Global CA
        //    Google Internet Authority G2
        //        *.google.com
        //那么,除了导入*.google.com之外,还需要导入证书链上所有的CA证书(GeoTrust Global CA, Google Internet Authority G2);
        //如是自建证书的时候,可以设置为YES,增强安全性;假如是信任的CA所签发的证书,则建议关闭该验证;
//        securityPolicy.va = NO;
        
        AFHTTPSessionManager *manager = [AFHTTPSessionManager manager];
        
        manager.securityPolicy = securityPolicy;
        manager.requestSerializer.cachePolicy = NSURLRequestReloadIgnoringLocalCacheData;

3. 配置info.plist
<key>NSAppTransportSecurity</key>
	<dict>
		<key>NSAllowsArbitraryLoads</key>
		<true/>
		<key>NSExceptionDomains</key>
		<dict>
			<key>api.wenxiaoyou.com</key>
			<dict>
                <key>NSIncludesSubdomains</key>
                <true/>
				<key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>1.0</string>
                <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
                <false/>
                <key>NSExceptionMinimumTLSVersion</key>
                <string>TLSv1.0</string>
                <key>NSExceptionRequiresForwardSecrecy</key>
                <false/>
		</dict>

Just enjoy it.


你可能感兴趣的:(ios9使用自签名ssl -9824 -9801)