我从instantssl获得了我的crt,并使用open ssl创建了一个.p12 java keytool来使我成为一个java密钥库。
openssl pkcs12 -export -in AddTrustExternalCARoot.crt -in UTNAddTrustSGCCA.crt -in ComodoUTNSGCCA.crt -in EssentialSSLCA_2.crt -in www_geobomber_com.crt -inkey www.geobomber.com.key -out www.geobomber.com.p12
keytool -importkeystore -destkeystore www.thedomain.com.jks -srckeystore www.thedomain.com.p12 -srcstoretype PKCS12 -alias 1
我的SSL连接程序如下所示。这一切都运行,似乎很好。我的第一个问题是(NSDictionary *设置)设置正确吗? - 这是我成功连接SSL所需的全部内容。我的印象是我需要在iPhone上安装crts。
CFReadStreamRef readStream;
CFWriteStreamRef writeStream;
CFStreamCreatePairWithSocketToHost(NULL, (CFStringRef)@"www.thedomain.com", port, &readStream, &writeStream);
NSInputStream *inputStream = (__bridge_transfer NSInputStream *)readStream;
NSOutputStream *outputStream = (__bridge_transfer NSOutputStream *)writeStream;
[inputStream open];
[outputStream open];
BOOL result = [inputStream setProperty:NSStreamSocketSecurityLevelNegotiatedSSL forKey:NSStreamSocketSecurityLevelKey];
NSLog(@"inputStream result %i",result);
result =[outputStream setProperty:NSStreamSocketSecurityLevelNegotiatedSSL forKey:NSStreamSocketSecurityLevelKey];
NSLog(@"outputStream result %i",result);
if (YES){
NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
[NSNumber numberWithBool:NO], kCFStreamSSLAllowsExpiredCertificates,
[NSNumber numberWithBool:NO], kCFStreamSSLAllowsAnyRoot,
[NSNumber numberWithBool:YES], kCFStreamSSLValidatesCertificateChain,
kCFNull,kCFStreamSSLPeerName,
nil];
CFReadStreamSetProperty((CFReadStreamRef)inputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);
CFWriteStreamSetProperty((CFWriteStreamRef)outputStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);
}
//endstuff
NSString *response = @"hello from iphone stream";
NSData *data = [[NSData alloc] initWithData:[response dataUsingEncoding:NSASCIIStringEncoding]];
NSLog(@"going to try to write.");
[outputStream write:[data bytes] maxLength:[data length]];
答案 0 :(得分:2)
如果您的证书由认可的CA签名,则您无需对客户端执行任何操作。客户端应该已经信任已识别的CA.