使用AFNetworking和SSL绑定实现安全连接
1. SSL Pinning
SSL pinning, 即证书绑定. 通过SSL证书绑定来验证服务器身份, 防止应用被抓包.
2. 获取证书
客户端需要配置证书 .cer.
-
.pem转.cer
openssl x509 -inform PEM -in name.pem -outform DER -out name.cer
-
.crt转.cer
openssl x509 -in name.crt -out name.cer -outform der
- 从服务器下载证书
openssl s_client -connect www.website.com:443 </dev/null 2>/dev/null | openssl x509 -outform DER > myWebsite.cer
3.设置证书
enum {
AFSSLPinningModeNone,
AFSSLPinningModePublicKey,
AFSSLPinningModeCertificate,
}
- SSLPinningMode
AFSSLPinningModeNone:完全信任
AFSSLPinningModePublicKey:只校验服务器证书和本地证书的Public Key是否一致.
AFSSLPinningModeCertificate:校验服务器证书和本地证书的所有内容(如果证书过期, 需要更新客户端证书).
+ (AFHTTPSessionManager *)manager
{
static AFHTTPSessionManager *manager = nil;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
NSURLSessionConfiguration *config = [NSURLSessionConfiguration defaultSessionConfiguration];
manager = [[AFHTTPSessionManager alloc] initWithSessionConfiguration:config];
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey withPinnedCertificates:[AFSecurityPolicy certificatesInBundle:[NSBundle mainBundle]]];
manager.securityPolicy = securityPolicy;
});
return manager;
}
