HTTPS adaptation

Source: Internet
Author: User

Tags: arc tag section ram DIV Wildcard requirements article technology share


HTTPS cover

At the WWDC 2016 developer conference, Apple announced a deadline: The app Transport security feature must be enabled for all apps in the App Store by January 1, 2017. In other words, since 2017, the network request must be changed from HTTP to HTTPS. For this reason, I would also like to try to adapt the HTTPS network request. Because there is no previous configuration server experience, the online said is not detailed, so stepped on a lot of pits, a full day of time spent. Now I write down the flow of my configuration, I hope Yimeimei can take a little detour. (The online tutorial has, but is very confusing, difficult to understand, here I intend 最通俗的语言 to use to describe.) )

Concept Myths: HTTPS and language agnostic

At first, I thought https should be like the HTTP header, what PHP code to write (the server language is PHP), the client's certificate is processed to verify what, and then return to the processing results (similar to token authentication). So, at first I searched PHP怎么处理HTTPS请求 , and the results were all 怎么用PHP发送HTTPS请求 introduced. After a period of entanglement, I realized that HTTPS processing does not require PHP to do anything, your server (such as Apache) has been to help you to verify that you just need to do the same as receiving an HTTP request to process data, that is, 服务器增加HTTPS并不需要在代码中做什么,只要服务器配置下就好 .

About the HTTPS handshake process I think it should be understood, you can refer to this information: HTTPS handshake process.

简单得说就是客户端向服务器发起需求,服务器把证书发给客户端,客户端验证下证书是否合法,然后用证书的数据加密传输数据给服务器,服务器解密

Generate a certificate file

Look at the above principle to know that the HTTPS transmission must first have a certificate. I also met a lot of holes in generating certificates, and almost all of the sites have to generate 2 certificates, server.pem and client.pem . At first I put the server.pem configuration to the server, client.pem give afnetwoking, the results can not pass the verification! Later I found that as long as the afnetworing use server.pem authentication, that is, as long as a certificate on the line ... (I really do not know why the 2 certificate, if the great God welcomed the point).

Below I will post the command line code, the main reference this article: reference article

//first step, prepare the public key, private key # for server side and client to generate server-side private key OpenSSL Genrsa-out server.key 1024# Generate server-side public key OpenSSL RSA-in Server.key -pubout-out server.pem//step two, generate CA certificate # generate ca private key OpenSSL genrsa-out ca.key 1024# Certificate Signing Request (CSR) management.openssl req-new-key ca.key-out ca.csr#, Certificate Data management.openssl x509-req-in ca.csr-signkey ca.key-out ca.crt         

In the second step will come out an interface to fill in the information (I have filled out all you can refer to, some places can be empty)

CountryName (2 letter code)[AU]: CNStateOrProvinceName (full name)[Some-state]: ZhejiangLocalityname (eg, city) [] :hangzhouorganization name (eg, company) [internet widgits Pty Ltd]:my ca Organizational unit Name (eg, section) []:common Name (e.g. server FQDN or YOUR name) []:localhostemail address []:   

Here is a bit to note, Common Name (e.g. server FQDN or YOUR name) []: This is the last domain name that can be accessed, I am here for the convenience of testing, written as localhost, if it is to generate certificates for the website, need to write xxxx.com.

//第三步,生成服务器端证书# 服务器端需要向 CA 机构申请签名证书,在申请签名证书之前依然是创建自己的 CSR 文件openssl req -new -key server.key -out server.csr# 向自己的 CA 机构申请证书,签名过程需要 CA 的证书和私钥参与,最终颁发一个带有 CA 签名的证书openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.cr

There will also be information to fill, as usual to write.

第四步,生成cer文件使用openssl 进行转换openssl x509 -in server.crt -out server.cer -outform der

If you do, you'll get so many files.


Certificate File Configuration Server

For convenience, I am a Mac local computer server, using the XAMPP built server using Apache. On the other server should be the file path location is not the same, the other should be the same. If some servers do not turn on SSL, you can search online how to open.

修改httpd-ssl.conf文件 把server.crt和server.key的路径修改对就好了SSLCertificateFile /apache/conf/server.crt  SSLCertificateKeyFile /apache/conf/server.key

Because my server turns on SSL by default, I'll just modify the certificate path.
We come to the browser to access the next


Browser access to HTTPS

Click on the box I marked to access the certificate, you can see the data we have just filled out


The certificate returned by the server


Because different server configuration is different, can not generalize, so we still according to the situation of their own server configuration.

Configure Afnetworking

Here directly on the code

+ (afsecuritypolicy*) customsecuritypolicy{/Import Certificates FirstNSString *cerpath = [[NSBundle Mainbundle] Pathforresource:@ "Server" OfType:@ "CER"];Path to the certificateNSData *certdata = [NSData Datawithcontentsoffile:cerpath];Afsslpinningmodecertificate using certificate validation mode afsecuritypolicy *securitypolicy = [Afsecuritypolicy policywithpinningmode: Afsslpinningmodecertificate];Allowinvalidcertificates whether to allow invalid certificates (that is, self-built certificates), default to NoIf you need to validate your self-built certificate, you need to set it to Yes Securitypolicy.allowinvalidcertificates =YES;Validatesdomainname If you need to verify the domain name, the default is yes;If the domain name of the certificate does not match the domain name you requested, you need to set the entry to no, and if it is set to No, the server can also establish a connection by using a certificate issued by another trusted authority, which is very dangerous and is recommended to be opened.Set to No, mainly used in this case: the client is requesting a subdomain, and the certificate is a different domain name. Because the domain name on the SSL certificate is independent, if the domain name registered on the certificate is www.google.com, then mail.google.com cannot be verified; Of course, the rich can register the wildcard name *.google.com, but this is still relatively expensive.If set to No, it is recommended that you add the check logic for the corresponding domain name. Securitypolicy.validatesdomainname =NO; Securitypolicy.pinnedcertificates = @[certdata];return securitypolicy;} + (void) Post: (NSString *) URL params: (Nsdictionary *) Params success: (void (^) (id)) Success Failure: (void (^) (nserror *)) failure{//1. Get request Manager Afhttpsessionmanager *mgr = [Afhttpsessionmanager manager]; //2. Affirms that the result of the return is text/html type Mgr.responseserializer = [Afhttpresponseserializer serializer]; //plus this line of code, HTTPS SSL authentication. [Mgr Setsecuritypolicy:[networkhelpmanager customsecuritypolicy]; //3. Send POST request [Mgr Post:url parameters:params success:^ (id responseobj) {if (Success ) {success (responseobj);}} failure:^ (nsurlsessiondatatask *operation, NSError *error {if (failure) {failure (error);}];}        

And remember to add the certificate to the project.


Certificates in the Project

The following is to describe the authentication mode of the certificateAFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];

    • Afsslpinningmodenone

No validation is done, as long as the server returns a certificate

    • Afsslpinningmodepublickey

Only verify the public key part, as long as the public key part of the same validation passed, the red box of the part as long as the consistent through


Client and server-side certificate comparisons
    • Afsslpinningmodecertificate

In addition to the public key, the other can be consistent to pass validation.

Configuration results

Let's use Charles to grab a packet and see if it's been encrypted successfully.


Grab the bag result

The returned data is vaguely visible in our certificate, but the data is encrypted.

Summarize

The configuration of HTTPS is not difficult, since sooner or later it is better to configure the earlier. In fact, most of the time we do not want to do, but not can not do. A little more patience, a little more practice, you can make a little more breakthroughs.

I am a rolling cow baby, welcome to comment on the Exchange ~

HTTPS adaptation

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: