我尝试在OS X和iOS(8.1版本)上的openssl之间使用SSL TCP连接。 Exception Domains有192.168.0.104。
Swift iOS代码:
class SSLSocketLite {
// The input stream.
private var inStream: NSInputStream?
// The output stream.
private var outStream: NSOutputStream?
// The host to connect to.
private var host: String
// The port to connect on.
private var port: Int
init(inHost:String, inPort:Int) {
host = inHost
port = inPort
NSStream.getStreamsToHostWithName(host, port: port, inputStream: &inStream, outputStream: &outStream)
}
func Open() {
inStream?.open()
outStream?.open()
inStream?.setProperty(NSStreamSocketSecurityLevelTLSv1, forKey: NSStreamSocketSecurityLevelKey)
outStream?.setProperty(NSStreamSocketSecurityLevelTLSv1, forKey: NSStreamSocketSecurityLevelKey)
inStream?.scheduleInRunLoop(.mainRunLoop(), forMode: NSDefaultRunLoopMode)
outStream?.scheduleInRunLoop(.mainRunLoop(), forMode: NSDefaultRunLoopMode)
}
func Read() -> String! {
var buffer = Array<UInt8>(count:1024, repeatedValue: 0)
if inStream!.hasBytesAvailable {
inStream!.read(&buffer, maxLength: 1024)
let responseString = NSString(bytes: buffer, length: buffer.count, encoding: NSUTF8StringEncoding) as! String
return responseString
}
return nil
}
func Write(msg:String) {
let data:NSData = msg.dataUsingEncoding(NSUTF8StringEncoding, allowLossyConversion: false)!
outStream!.write(UnsafePointer(data.bytes), maxLength: data.length)
}
func Close() {
inStream?.close()
outStream?.close()
}
}
class ViewController: UIViewController {
override func viewDidLoad() {
super.viewDidLoad()
let sslsock = SSLSocketLite(inHost: "192.168.0.104", inPort: 1678)
sslsock.Open()
}
override func didReceiveMemoryWarning() {
super.didReceiveMemoryWarning()
// Dispose of any resources that can be recreated.
}
}
在OS X方面,我使用以下方法创建了证书和密钥:
openssl req -x509 -newkey rsa:1024 -keyout key.key -out key.crt -days 365 -nodes
使用以下命令启动TCP SSL服务器:
openssl s_server -key key.key -cert key.crt -accept 1678
之后我在iOS端获得CFNetwork SSLHandshake failed (-9807),在OS X端获得bad gethostbyaddr。我该如何解决这个问题?
UPD:
1。touch openssl-ca.cnf
2.在openssl-ca.cnf中粘贴。一行改变了:
commonName_default = localhost
3。openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
4。touch openssl-server.cnf
5.在openssl-server.cnf中粘贴。两条线改变了:
commonName_default = localhost
DNS.1 = localhost
6。openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out servercert.csr -outform PEM
7.在openssl-ca.cnf中增加了2 + 1个部分:
[ CA_default ]
...
base_dir = .
certificate = $base_dir/cacert.pem # The CA certifcate
private_key = $base_dir/cakey.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
...
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
8。touch index.txt
9。echo '01' > serial.txt
10。openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles servercert.csr
11。openssl x509 -in servercert.pem -inform PEM -out servercert.der -outform DER
12.在iOS项目中添加了servercert.der
13。let sslsock = SSLSocketLite(inHost: "localhost", inPort: 1678)
14.Exception Domains - &gt; + localhost
15。openssl s_server -key serverkey.pem -cert servercert.pem -accept 1678
openssl-ca.cnf的最终版本:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 1000 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
base_dir = .
certificate = $base_dir/cacert.pem # The CA certifcate
private_key = $base_dir/cakey.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
####################################################################
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Maryland
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = Organization Name (eg, company)
organizationName_default = Test CA, Limited
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = Server Research Department
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ ca_extensions ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
openssl-server.cnf的最终版本:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 2048
default_keyfile = serverkey.pem
distinguished_name = server_distinguished_name
req_extensions = server_req_extensions
string_mask = utf8only
####################################################################
[ server_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MD
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = Organization Name (eg, company)
organizationName_default = Test CA, Limited
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = localhost
iOS输出:
SwiftPlayground [917:31077] CFNetwork SSLHandshake失败(-9807)
OpenSSL s_server输出(没有发生):
Using default temp DH parameters Using default temp ECDH parameters ACCEPT
答案 0 :(得分:0)
我写了一个软件包来帮助解决这个问题,很不幸,对您来说,它是Obj-C,但是我那里确实有资源,即创建可以与新的iOS 13 TLS限制一起使用的证书。这是用于创建CA,中间CA和服务器/用户证书的教程的链接。
https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
如果您完全按照它进行操作,您将拥有有效的证书,但本教程未考虑到最新的更改之一。但是,如果您使用我的配置文件,那么只要您按照本教程的过程进行操作,我就进行了必要的细微更改,以使证书可以正常工作-在这里您可以找到这些配置文件:
https://github.com/eamonwhiter73/IOSObjCWebSockets
您将必须对配置文件进行一些小的更改-您的基本路径,以及DNS名称始终在每个文件的底部。