我从 instantssl 获得了我的 crt,我使用 open ssl 制作了一个 .p12 java keytool 来使我成为一个 java keystore 。
openssl pkcs12 -export -in AddTrustExternalCARoot.crt -in UTNAddTrustSGCCA.crt -in ComodoUTNSGCCA.crt -in EssentialSSLCA_2.crt -in www_geobomber_com.crt -inkey www.geobomber.com.key -out www.geobomber.com.p12
keytool -importkeystore -destkeystore www.thedomain.com.jks -srckeystore www.thedomain.com.p12 -srcstoretype PKCS12 -alias 1
我的 iOS SSL 连接程序如下。这一切都在运行并且似乎很好。我的第一个问题是 ( NSDictionary *settings ) 设置正确吗? - 这就是我成功建立 SSL 连接所需的一切。我的印象是我需要在 iphone 上安装 crts。
CFReadStreamRef readStream;
CFWriteStreamRef writeStream;
CFStreamCreatePairWithSocketToHost(NULL, (CFStringRef)@"www.thedomain.com", port, &readStream, &writeStream);
NSInputStream *inputStream = (__bridge_transfer NSInputStream *)readStream;
NSOutputStream *outputStream = (__bridge_transfer NSOutputStream *)writeStream;
[inputStream open];
[outputStream open];
BOOL result = [inputStream setProperty:NSStreamSocketSecurityLevelNegotiatedSSL forKey:NSStreamSocketSecurityLevelKey];
NSLog(@"inputStream result %i",result);
result =[outputStream setProperty:NSStreamSocketSecurityLevelNegotiatedSSL forKey:NSStreamSocketSecurityLevelKey];
NSLog(@"outputStream result %i",result);
if (YES){
NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
[NSNumber numberWithBool:NO], kCFStreamSSLAllowsExpiredCertificates,
[NSNumber numberWithBool:NO], kCFStreamSSLAllowsAnyRoot,
[NSNumber numberWithBool:YES], kCFStreamSSLValidatesCertificateChain,
kCFNull,kCFStreamSSLPeerName,
nil];
CFReadStreamSetProperty((CFReadStreamRef)inputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);
CFWriteStreamSetProperty((CFWriteStreamRef)outputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);
}
//endstuff
NSString *response = @"hello from iphone stream";
NSData *data = [[NSData alloc] initWithData:[response dataUsingEncoding:NSASCIIStringEncoding]];
NSLog(@"going to try to write.");
[outputStream write:[data bytes] maxLength:[data length]];
最佳答案
如果您的证书是由公认的 CA 签署的,则您无需对客户端执行任何操作。客户端应该已经信任公认的 CA。
关于objective-c - SSL 的问题或我对它的误解,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/14087433/