Xamarin WKWebView接受自签名证书

时间:2017-11-20 20:22:18

标签: xamarin webview xamarin.ios wkwebview

我在网上看过各种示例如何接受它们但我总是得到发生了SSL错误,无法与服务器建立安全连接。

我会注意到该方法肯定被调用(在iOS 8.4模拟器和iOS 11实际设备上运行),所以这里没有调用方法不是问题。

到目前为止我尝试过(显然我只在开发中使用此代码,而不是在生产中,等等等等):

1:

public override void DidReceiveAuthenticationChallenge(WKWebView webView, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler) {
 completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, new NSUrlCredential(serverTrust));
}

2:

public override void DidReceiveAuthenticationChallenge(WKWebView webView, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler) {
 completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, NSUrlCredential.FromTrust(serverTrust));
}

3:

    public override void DidReceiveAuthenticationChallenge(WKWebView webView, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler) {
        SecTrust serverTrust = challenge.ProtectionSpace.ServerSecTrust;
        NSData exceptions = serverTrust.GetExceptions();
        serverTrust.SetExceptions(exceptions);
        exceptions.Dispose();
        completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, NSUrlCredential.FromTrust(serverTrust));
    }

4:

    public override void DidReceiveAuthenticationChallenge(WKWebView webView, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler) {
        SecTrust serverTrust = challenge.ProtectionSpace.ServerSecTrust;    //TODO: Get the following working (currently we still receive SSL errors)
        NSData exceptions = serverTrust.GetExceptions();
        serverTrust.SetExceptions(exceptions);
        exceptions.Dispose();

        challenge.Sender.UseCredential(NSUrlCredential.FromTrust(serverTrust), challenge);
        completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, NSUrlCredential.FromTrust(serverTrust));
    }

我做错了什么?感谢。

1 个答案:

答案 0 :(得分:2)

要支持自签名证书,您 要做的事情

  1. 在自签名域上允许NSExceptionAllowsInsecureHTTPLoads
    • 即使您使用的是https,您的应用也会被标记为有信任问题
  2. 绕过证书安全检查
  3. 安全提示2 :为任何生产应用获取CA颁发的证书,因为这会完全禁用您域上的证书验证,从而允许MITM攻击,应用程序的DNS重定向欺骗等。你可以通过将公共cer包含在主包中并根据收到的证书进行检查来确定证书,但这只是意味着需要在MITM或DNS欺骗攻击中生成伪证书(以及那些已经存在的工具)在各种漏洞利用工具包中)

    使用https://badssl.com网站的示例:

    WKNavigationDelegate:

    public class NavigationDelegate : WKNavigationDelegate
    {
        const string host = "self-signed.badssl.com";
        public override void DidReceiveAuthenticationChallenge(WKWebView webView, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler)
        {
            switch (challenge.ProtectionSpace.Host)
            {
                case host:
                    using (var cred = NSUrlCredential.FromTrust(challenge.ProtectionSpace.ServerSecTrust))
                    {
                        completionHandler.Invoke(NSUrlSessionAuthChallengeDisposition.UseCredential, cred);
                    }
                    break;
                default:
                    completionHandler.Invoke(NSUrlSessionAuthChallengeDisposition.PerformDefaultHandling, null);
                    break;
            }
        }
    }
    

    注意:将此类的实例分配给WKWebView实例的NavigationDelegateWeakNavigationDelegate

    Info.plist NSAppTransportSecurity:

    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>self-signed.badssl.com</key>
            <dict>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
            </dict>
        </dict>
    </dict>