iOS core note-Network Programming-HTTPS Protocol

1, the basic use of https: 1, HTTPS simple description:

?了解: HTTPS (full name: Hyper Text Transfer Protocol over secure Socket Layer) is a security-targeted HTTP channel and is simply a secure version of HTTP.

?重要: The SSL layer is added under HTTP, the security base of HTTPS is SSL, so the detailed content of encryption needs SSL. It is a URI scheme (abstract identifier system) with syntax similar to http: System. For secure HTTP data transfer.

?重要: https:URL : Indicates that it uses HTTPS, but HTTPS has a different default port than HTTP and an encryption/authentication layer (between HTTP and TCP).

2, the difference between HTTPS and HTTP is mainly the following four points:

First, the HTTPS protocol requires a certificate to the CA, the general free certificate is very small and requires a fee.

Second, HTTP is a Hypertext Transfer Protocol, the information is plaintext transmission, HTTPS is a secure SSL encryption Transfer protocol.

Third, HTTP and HTTPS use a completely different way of connection, with the same port, the former is 80, the latter is 443.

Four, HTTP connection is very simple, is stateless; The HTTPS protocol is a network protocol built by the SSL+HTTP protocol to encrypt the transmission and authentication, which is more secure than the HTTP protocol.

3, Simple description:

1, the main idea of HTTPS is to create a secure channel on an insecure network, and to provide reasonable protection for eavesdropping and inter-person attacks when using the appropriate encryption packets and server certificates can be verified and trusted.

2. The trust inheritance of HTTPS is based on a certificate authority (such as VeriSign, Microsoft, etc.) that is pre-installed in the browser (meaning "I trust the certification authority to tell me that I should trust").

3, therefore, an HTTPS connection to a website can be trusted, if the server set up its own HTTPS that is to use self-certification to establish the HTTPS channel, which is generally not trusted clients.

4, so we generally in the browser to visit some HTTPS site when there will be a hint, ask you whether to continue.

4, the impact on development:

?重要: If we are accessing a server whose digital certificate is a certificate created by itself rather than a CA-issued recipient, the certificate will not be installed and received by default in iOS, so we will configure the client to receive the server digital certificate and install the digital certificate.

4-1, if you use Nsurlsession to encapsulate the network request, the solution is as follows:

The sample program is as follows :

1.- (void)touchesBegan:(NSSet *)touches withEvent:(UIEvent *)event
2.{
3.    NSURLSession *session = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration defaultSessionConfiguration] delegate:self delegateQueue:[NSOperationQueue mainQueue]];
4.
5.    NSURLSessionDataTask *task =  [session dataTaskWithURL:[NSURL URLWithString:@"https://www.apple.com"] completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
6.        NSLog(@"%@", [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]);
7.    }];
8.    [task resume];
9.}

1./*
2. This proxy method is called whenever the requested address is HTTPS
3. We need to tell the system in this method whether to trust the certificate returned by the server
4. Challenge: Challenge question (includes protected area)
5. Protectionspace: Protected Area
6. Nsurlauthenticationmethodservertrust: The type of certificate is the server trust
7. */
8.-(void) Urlsession: (Nsurlsession *) session Didreceivechallenge: (Nsurlauthenticationchallenge *) challenge Completionhandler: (void (^) (nsurlsessionauthchallengedisposition, nsurlcredential *)) Completionhandler
7.5
//NSLog (@ "Didreceivechallenge%@", challenge.protectionspace);
One. NSLog (@ "call outermost");
12.//1. Determine the type of certificate returned by the server, whether it is a server trust
if ([Challenge.protectionSpace.authenticationMethod Isequaltostring:nsurlauthenticationmethodservertrust]) {
NSLog (@ "called the inside this layer is the Server Trust certificate");
15.
16.//nsurlcredential *credential = [nsurlcredential credentialForTrust:challenge.protectionSpace.serverTrust];
17.
Nsurlcredential *card = [[Nsurlcredential alloc]initwithtrust:challenge.protectionspace.servertrust];
Completionhandler (nsurlsessionauthchallengeusecredential, card);
20.}
21.}

?重要：
①nsurlsessionauthchallengeusecredential = 0, use certificate;

②nsurlsessionauthchallengeperformdefaulthandling = 1, ignoring the certificate (the default processing mode);

③nsurlsessionauthchallengecancelauthenticationchallenge = 2, ignoring the documentary evidence and canceling this request;

④nsurlsessionauthchallengerejectprotectionspace = 3, reject current this time, ask again next time.

5, Ats:5-1, ATS Introduction:

1, iOS9 in the new app Transport Security (ATS) features, so that the original request when the use of HTTP, all to the TLS1.2 protocol for transmission.

2, this means that all HTTP protocols are forced to use the HTTPS protocol for transmission.

3. If we make an HTTP request directly under IOS9, we will get an error. The system tells us that we cannot request directly using HTTP and that we need to control the configuration of ATS in Info.plist.

"NSAppTransportSecurity"is the root node of the ATS configuration, which configures the ATS settings that the node represents to tell the system to go custom.

"NSAllowsAritraryLoads"The node controls whether the ATS feature is disabled, and setting Yes disables the ATS feature.

4, there are two workarounds: one is to modify the configuration information to continue to use the previous settings. Another workaround is that all requests are based on the "TLS 1.2" version protocol. (This method requires strict adherence to official rules, such as selected cryptographic algorithms, certificates, etc.)

5-2, the ATS default conditions:

1, the server TLS version is at least 1.2 version;

2, the connection encryption only allows several advanced encryption;

3. Certificates must be signed with SHA256 or a better hashing algorithm, either 2048-bit or longer RSA keys, or 256-bit or longer ECC keys.

5-3, Afsecuritypolicy, the interior has three important attributes, as follows:

?重要: 1, Afsslpinningmode Sslpinningmode; This attribute indicates the way in which Afsecuritypolicy is validated

BOOL allowinvalidcertificates; Whether untrusted certificates are allowed to pass validation, default to No

BOOL Validatesdomainname; Verify host name, default is Yes

?重要: 2, "Afsslpinningmode" enumeration type has three values, respectively, is Afsslpinningmodenone, Afsslpinningmodepublickey, Afsslpinningmodecertificate.

"Afsslpinningmodenone" means that Afsecuritypolicy does not do more rigorous validation, "as long as the system trusts the certificate" can be verified, however, It is affected by allowinvalidcertificates and validatesdomainname;

"Afsslpinningmodepublickey" is verified by the "public Key (PublicKey) part of the comparison certificate", which obtains the local certificate and the server certificate through the Sectrustcopypublickey method, and then compares the If there is a same, then through verification, this method is mainly applicable to the self-built certificate built HTTPS server and the need for higher security requirements of authentication;

"Afsslpinningmodecertificate" is a direct local certificate is set to a trusted root certificate, and then to judge, and compare the contents of the local certificate and the server certificate content is the same, to make two judgments, this method is suitable for high security requirements of authentication.

?重要: 3, if the HTTPS server satisfies the ATS default condition, and the SSL certificate is authenticated through the authoritative CA institution, then nothing is done. If any of the above conditions are not true, then only the ATS configuration can be modified.

iOS core note-Network Programming-HTTPS Protocol