信任评估时不断获取 kSecTrustResultRecoverableTrustFailure - iphone
我想与我的服务器安全地通信,这就是我正在做的...
NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
SecTrustRef trust = [protectionSpace serverTrust];
NSURLCredential *credential = [NSURLCredential credentialForTrust:trust];
SecPolicyRef myPolicy = SecPolicyCreateBasicX509();
NSArray * certs = [[NSArray alloc] initWithObjects:(id)certificate,nil]; //certificate is my server's cert.
credential = [NSURLCredential credentialForTrust:trust];
SecTrustSetAnchorCertificates(trust,
(CFArrayRef) [NSArray arrayWithObject:(id) certificate ]);
OSStatus status = SecTrustCreateWithCertificates(certs, myPolicy, &trust);
SecTrustResultType trustResult = 0;
if (status == noErr) {
status = SecTrustEvaluate(trust, &trustResult);
}
NSLog(@"Trust I get: %d", trustResult);
[certs release];
if (trustResult == kSecTrustResultRecoverableTrustFailure) {
NSLog(@"Recoverable Failure");
CFAbsoluteTime trustTime,currentTime,timeIncrement,newTime;
CFDateRef newDate;
trustTime = SecTrustGetVerifyTime(trust);
timeIncrement = 31536000;
currentTime = CFAbsoluteTimeGetCurrent();
newTime = currentTime - timeIncrement;
if (trustTime - newTime){
newDate = CFDateCreate(NULL, newTime);
SecTrustSetVerifyDate(trust, newDate);
status = SecTrustEvaluate(trust, &trustResult);
}
NSLog(@"Trust again:%d", trustResult);// AGAIN kSecTrustResultRecoverableTrustFailure(5) over here
}
任何人都知道为什么会发生... 似乎与证书过期无关(实际上也不是),但可能是原因。
谢谢
大家
I want to securely communicate with my server and here is what I am doing...
NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
SecTrustRef trust = [protectionSpace serverTrust];
NSURLCredential *credential = [NSURLCredential credentialForTrust:trust];
SecPolicyRef myPolicy = SecPolicyCreateBasicX509();
NSArray * certs = [[NSArray alloc] initWithObjects:(id)certificate,nil]; //certificate is my server's cert.
credential = [NSURLCredential credentialForTrust:trust];
SecTrustSetAnchorCertificates(trust,
(CFArrayRef) [NSArray arrayWithObject:(id) certificate ]);
OSStatus status = SecTrustCreateWithCertificates(certs, myPolicy, &trust);
SecTrustResultType trustResult = 0;
if (status == noErr) {
status = SecTrustEvaluate(trust, &trustResult);
}
NSLog(@"Trust I get: %d", trustResult);
[certs release];
if (trustResult == kSecTrustResultRecoverableTrustFailure) {
NSLog(@"Recoverable Failure");
CFAbsoluteTime trustTime,currentTime,timeIncrement,newTime;
CFDateRef newDate;
trustTime = SecTrustGetVerifyTime(trust);
timeIncrement = 31536000;
currentTime = CFAbsoluteTimeGetCurrent();
newTime = currentTime - timeIncrement;
if (trustTime - newTime){
newDate = CFDateCreate(NULL, newTime);
SecTrustSetVerifyDate(trust, newDate);
status = SecTrustEvaluate(trust, &trustResult);
}
NSLog(@"Trust again:%d", trustResult);// AGAIN kSecTrustResultRecoverableTrustFailure(5) over here
}
Anybody has idea why it is happening...
Seems it is not about the expiration of the certificate (which is not in reality as well) but could be the reason.
thank you
al
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
则发生 SecTrustResultRecoverableTrustFailure ,
我通过配置网络服务器发送整个证书链而不是仅发送服务器证书来解决了我的问题。
通过配置我的 apache mod_ssl:
https://httpd.apache.org/docs/2.2/mod/mod_ssl .html#sslcertificatechainfile
SecTrustResultRecoverableTrustFailurehappens ifI solved my problem by configuring the webserver to send the whole certificate chain instead of only the server certificate.
By configuring my apache mod_ssl:
https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile