从http切换到https。证书无效
我有一个连接到家庭路由器网络界面的应用程序。我想将其转换为使用https而不是http。
我最初使用的是 ASIHttpRequest ,但由于不再支持我正在切换到 AFNetworking 。
问题是,每当我尝试连接时,都会收到错误消息:
I have an app that connects to my home routers web interface. I want to convert this to use https instead of just http.
I was originally using ASIHttpRequest, but as it's no longer supported i'm switching over to AFNetworking.
The problem is, whenever I try to connect, I get this error message:
_block_invoke_0220 [Line 243] ERROR: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be "192.168.1.1" which could put your confidential information at risk." UserInfo=0x9792ad0 {NSErrorFailingURLStringKey=https://192.168.1.1/Info.live.htm, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=https://192.168.1.1/Info.live.htm, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be "192.168.1.1" which could put your confidential information at risk., NSUnderlyingError=0xa6a3560 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be "192.168.1.1" which could put your confidential information at risk.", NSURLErrorFailingURLPeerTrustErrorKey=< SecTrustRef:
如果我导航到url i safari,我收到一条消息,Safari无法验证身份....我必须点击继续继续。
我怎样才能做到这一点?不幸的是,我对ssl或https一无所知。
以下是我目前正在使用的代码:
If I navigate to the url i safari, I get a message that Safari can't verify the identity.... and I have to click continue to carry on. How can I achieve this? I don't really know anything about ssl or https unfortunately. Here is the code i'm currently using:
NSString *urlString = @"https://192.168.1.1/";
NSURL *url = [NSURL URLWithString:urlString];
// Set authorization
AFHTTPClient *httpClient = [[AFHTTPClient alloc] initWithBaseURL:url];
[httpClient setAuthorizationHeaderWithUsername:user password:pass];
NSURLRequest *request = [httpClient requestWithMethod:@"POST" path:@"Info.live.htm" parameters:nil];
AFHTTPRequestOperation *operation = [[AFHTTPRequestOperation alloc] initWithRequest:request];
[operation setCompletionBlockWithSuccess:^(AFHTTPRequestOperation *operation, id responseObject) {
NSString *responceString = [operation responseString];
// NSLog(@"%@",responceString);
if ([self parseInfoLive:responceString])
[[NSNotificationCenter defaultCenter] postNotificationName:@"downloadsComplete" object:nil];
}
failure:^(AFHTTPRequestOperation *operation, NSError *error) {
NSLog(@"ERROR: %@",error.description);
}];
[operation start];
为了绕过主机证书的有效性检查,添加以下代码。
For getting around the validity check of the host certificate, add the following code.
首先为已经在SDK中但未公开的setter方法添加一个接口:
First add an interface for the setter method that is already within the SDK but not exposed into public:
@interface NSURLRequest(Private)
+(void)setAllowsAnyHTTPSCertificate:(BOOL)inAllow forHost:(NSString *)inHost;
@end
现在,无论何时呈现新请求,都要调用该setter:
Now, whenever you are rendering a new request, invoke that setter:
[NSURLRequest setAllowsAnyHTTPSCertificate:YES forHost:[inURL host]];
警告
请勿将此代码用于生产,但仅限于在尚未批准/提交/安装证书的情况下开发应用程序时。典型的情况是使用未安装可信证书的开发服务器。
使用此代码将使您的应用程序因使用私有API方法而被拒绝通过iTunes分发。
确保事情在生产环境中顺利运行,您必须获得主机的可信SSL证书。有各种权威的公司提供这样的东西。要提到至少一个(还有更多),你可以使用 GoDaddy的。
For making sure that things work smoothly in a production environment, you will have to get a trusted SSL certificate for your host. There are various authoritative companies providing such thing. To mention at least one (there are MANY more), you could use GoDaddy.
更新(2013年5月31日)
Update (31st May 2013)
AFNetworking已更新以支持开箱即用的无效证书,而无需使用任何私有API。感谢Peter Steinberger!
AFNetworking got updated to support invalid certificates out of the box, without using any private API's. Kudos to Peter Steinberger!
为了启用该功能,最方便的解决方案是将以下内容添加到前缀标题(.pch)中:
For enabling that feature, the most convenient solution is to add the following to your prefix header (.pch):
#ifdef DEBUG
#define _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_
#endif
再一次,我不能强调你应该避免在生产代码中启用该功能 - 你几乎会使SSL连接的整个点无效并使它们易受攻击。
Once again, I can not emphasize enough that you should refrain from enabling that feature in production code - you would pretty much invalidate the entire point of SSL connections and render them vulnerable.