IOS afnetworking HTTPS Authentication

The specific process of two-way authentication SSL protocol in HTTPS:

Here is a summary of the detailed steps:

The ① browser sends a connection request to the secure server.

The ② server sends its own certificate, along with the information associated with the certificate, to the customer's browser.

③ the client browser checks if the certificate sent by the server is issued by the CA center that you trust. If it is, continue to execute the agreement; if not, the customer's browser gives the customer a warning message: Warn the customer that the certificate is not trustworthy and ask the customer if they need to continue.

④ then the client browser compares the messages in the certificate, such as the domain name and the public key, whether the message that the server has just sent is consistent, and if it is consistent, the client's browser recognizes the legitimate identity of the server.

The ⑤ server requires customers to send their own certificates. Upon receipt, the server verifies the client's certificate and denies the connection if it is not authenticated, and if authenticated, the server obtains the user's public key.

The ⑥ client browser tells the server that it can support a symmetric password scheme for communication.

⑦ server from the customer sent over the password scheme, select a cryptographic scheme of the highest encryption, with the customer's public key after the notification browser.

⑧ Browser for this password scheme, select a call key, and then use the server's public key to be sent to the server.

The ⑨ server receives the message sent by the browser, decrypts it with its own private key, and obtains the call key.

⑩ server, browser Next communication is a symmetric cipher scheme, symmetric key is over-dense.

HTTPS bidirectional authentication from afnetworking

In general, if the app uses Web service, we need to prevent data sniffing to keep the data safe. It is common practice to use SSL to connect to prevent data capture and sniffing

In fact, it is not enough to do so. We also need to prevent man-in-the-middle attacks (do not understand Baidu itself). It is a serious problem for an attacker to connect an app to a spoofed fake server with a fake SSL certificate! So how do you prevent a man-in-the-middle attack?

First, the Web server must provide an SSL certificate, require a. crt file, and then set up the app to connect only the servers that are valid SSL certificates.

Before you start writing your code, turn the. crt file into a. cer file, and then add it to Xcode

Can be converted using OpenSSL

OpenSSL x509-in your certificate. Crt-out your certificate. Cer-outform der

Using afnetworking for data only takes two steps

First step: Add a Class + (afsecuritypolicy*) customsecuritypolicy{///import certificate first NSString *cerpath = [[NSBundle Mainbundle] pathforresource:@ "Hgcang" oftype:@ "CER"];//certificate path NSData *certdata = [NSData datawithcontentsoffile:cerpath];// Afsslpinningmodecertificate using certificate validation mode afsecuritypolicy *securitypolicy = [Afsecuritypolicy policywithpinningmode: afsslpinningmodecertificate];//allowinvalidcertificates whether to allow invalid certificates (that is, self-built certificates), the default is no//if you need to verify the self-built certificate, Need to be set to Yessecuritypolicy.allowinvalidcertificates = Yes;//validatesdomainname If you need to verify the domain name, the default is yes;//if the domain name of the certificate does not match the domain name you requested, This entry is set to No, and if it is set to No, the server uses a certificate issued by another trusted authority, which can also establish a connection, which is very dangerous and is recommended to be opened. Set to No, mainly used in this case: the client is requesting a subdomain, and the certificate is a different domain name. Because the domain name on the SSL certificate is independent, if the domain name registered on the certificate is www.google.com, then mail.google.com cannot be verified; Of course, the rich can register the wildcard name *.google.com, but this is still relatively expensive. If set to No, it is recommended that you add the check logic for the corresponding domain name. Securitypolicy.validatesdomainname = No;securitypolicy.pinnedcertificates = @[certdata];return securityPolicy;} Step two: Add directly in the request method, only one line of code + (void) Post: (NSString *) URL params: (nsdictionary *) params success: (void (^) (ID)) Success failure :(void (^) (NSError *) failure{//1. Get request Manager Afhttprequestoperationmanager *mgr = [Afhttprequestoperationmanager manager];//2. The result of the declaration returned is text/html type Mgr.responseserializer = [Afhttpresponseserializer serializer];//plus this line of code, HTTPS SSL authentication. [Mgr Setsecuritypolicy:[self customsecuritypolicy]];//3. Send a POST request [Mgr Post:url parameters:paramssuccess:^ ( Afhttprequestoperation *operation, id responseobj) {if (success) {success (responseobj);}} failure:^ ( Afhttprequestoperation *operation, Nserror *error) {if (failure) {failure (error);}];}

IOS afnetworking HTTPS Authentication