objective-c - SSL 的问题或我对它的误解

Question

我从 instantssl 获得了我的 crt，我使用 open ssl 制作了一个 .p12 java keytool 来使我成为一个 java keystore 。

openssl pkcs12 -export -in AddTrustExternalCARoot.crt -in UTNAddTrustSGCCA.crt -in ComodoUTNSGCCA.crt -in EssentialSSLCA_2.crt -in www_geobomber_com.crt -inkey www.geobomber.com.key -out www.geobomber.com.p12


keytool -importkeystore -destkeystore www.thedomain.com.jks -srckeystore www.thedomain.com.p12 -srcstoretype PKCS12 -alias 1

我的 iOS SSL 连接程序如下。这一切都在运行并且似乎很好。我的第一个问题是 ( NSDictionary *settings ) 设置正确吗？ - 这就是我成功建立 SSL 连接所需的一切。我的印象是我需要在 iphone 上安装 crts。

            CFReadStreamRef readStream;
            CFWriteStreamRef writeStream;
            CFStreamCreatePairWithSocketToHost(NULL, (CFStringRef)@"www.thedomain.com", port, &readStream, &writeStream);


            NSInputStream *inputStream = (__bridge_transfer NSInputStream *)readStream;
            NSOutputStream *outputStream = (__bridge_transfer NSOutputStream *)writeStream;
            [inputStream open];
            [outputStream open];


            BOOL    result = [inputStream    setProperty:NSStreamSocketSecurityLevelNegotiatedSSL forKey:NSStreamSocketSecurityLevelKey];
            NSLog(@"inputStream result %i",result);
            result =[outputStream   setProperty:NSStreamSocketSecurityLevelNegotiatedSSL forKey:NSStreamSocketSecurityLevelKey];
            NSLog(@"outputStream result %i",result);
            if (YES){
                NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
                                          [NSNumber numberWithBool:NO], kCFStreamSSLAllowsExpiredCertificates,
                                          [NSNumber numberWithBool:NO], kCFStreamSSLAllowsAnyRoot,
                                          [NSNumber numberWithBool:YES], kCFStreamSSLValidatesCertificateChain,
                                          kCFNull,kCFStreamSSLPeerName,
                                          nil];

                CFReadStreamSetProperty((CFReadStreamRef)inputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);
                CFWriteStreamSetProperty((CFWriteStreamRef)outputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);
            }
            //endstuff

            NSString *response  = @"hello from iphone stream";
            NSData *data = [[NSData alloc] initWithData:[response dataUsingEncoding:NSASCIIStringEncoding]];
            NSLog(@"going to try to write.");
            [outputStream write:[data bytes] maxLength:[data length]];

Answer 1

如果您的证书是由公认的 CA 签署的，则您无需对客户端执行任何操作。客户端应该已经信任公认的 CA。