我是相当新的使用SSL通道消费web服务。经过相当不错的搜索后，我发现了一种使用NSURLConnection委托API执行SSL/HTTPS身份验证的方法。以下是代码片段进行实际验证的事情：

iOS和SSL：无法验证自签名的服务器证书

- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {

[self printLogToConsole:@"Authenticating...."];

[self printLogToConsole:[NSString stringWithFormat:@"\n%@\n", [challenge description]]];

NSLog(@"\n\nserverTrust: %@\n", [[challenge protectionSpace] serverTrust]);

/* Extract the server certificate for trust validation

*/

NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];

assert(protectionSpace);

SecTrustRef trust = [protectionSpace serverTrust];

assert(trust);

CFRetain(trust); // Make sure this thing stays around until we're done with it

NSURLCredential *credential = [NSURLCredential credentialForTrust:trust];

/* On iOS

* we need to convert it to 'der' certificate. It can be done easily through Terminal as follows:

* $ openssl x509 -in certificate.pem -outform der -out rootcert.der

*/

NSString *path = [[NSBundle mainBundle] pathForResource:@"rootcert" ofType:@"der"];

assert(path);

NSData *data = [NSData dataWithContentsOfFile:path];

assert(data);

/* Set up the array of certificates, we will authenticate against and create credentials */

SecCertificateRef rtCertificate = SecCertificateCreateWithData(NULL, CFBridgingRetain(data));

const void *array[1] = { rtCertificate };

trustedCerts = CFArrayCreate(NULL, array, 1, &kCFTypeArrayCallBacks);

CFRelease(rtCertificate); // for completeness, really does not matter

/* Build up the trust anchor using our root cert */

int err;

SecTrustResultType trustResult = 0;

err = SecTrustSetAnchorCertificates(trust, trustedCerts);

if (err == noErr) {

err = SecTrustEvaluate(trust, &trustResult);

}

CFRelease(trust); // OK, now we're done with it

[self printLogToConsole:[NSString stringWithFormat:@"trustResult: %d\n", trustResult]];

/* http://developer.apple.com/library/mac/#qa/qa1360/_index.html

*/

BOOL trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultConfirm) || (trustResult == kSecTrustResultUnspecified));

// Return based on whether we decided to trust or not

if (trusted) {

[[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];

[self printLogToConsole:@"Success! Trust validation successful."];

} else {

[self printLogToConsole:@"Failed! Trust evaluation failed for service root certificate.\n"];

[[challenge sender] cancelAuthenticationChallenge:challenge];

}

}

但我发现了以下错误：

2012-06-11 17:10:12.541 SecureLogin[3424:f803] Error during connection: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x682c790 {NSErrorFailingURLKey=https://staging.esecure.url/authentication/signin/merchants, NSErrorFailingURLStringKey=https://staging.esecure.url/authentication/signin/merchants}

我使用我从服务器获得的相同证书并将其转换为'der'格式。我正在构建适用于iOS 5.x的应用程序。 我不确定我是否错过了某些东西。让我知道你的建议。

谢谢。

编辑 这里检查证书后输出的外观：

让我知道如果有什么不对。

谢谢。

+0

不，我没有使用ASIHTTPRequest APIs。我正在使用NSURLConnection API，此时不能更改为其他第三方库。 我正在使用使用OpenSSL创建的服务器使用自签名证书。 –

+0

[NSURLConnection问题]的可能重复(http：// stackoverflow。com/questions/3766755/problem-with-nsurlconnection) –