在信任评估的同时不断获得kSecTrustResultRecoverableTrustFailure - iphone

Question

我想与我的服务器进行安全通信，这就是我正在做的事情......

NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
SecTrustRef trust = [protectionSpace serverTrust];
NSURLCredential *credential = [NSURLCredential credentialForTrust:trust];

    SecPolicyRef myPolicy = SecPolicyCreateBasicX509();

NSArray * certs = [[NSArray alloc] initWithObjects:(id)certificate,nil]; //certificate is my server's cert.
credential = [NSURLCredential credentialForTrust:trust];

    SecTrustSetAnchorCertificates(trust,
                                  (CFArrayRef) [NSArray arrayWithObject:(id) certificate ]);    

OSStatus status = SecTrustCreateWithCertificates(certs, myPolicy, &trust);

SecTrustResultType trustResult = 0;

if (status == noErr) {
    status = SecTrustEvaluate(trust, &trustResult);
}

    NSLog(@"Trust I get: %d", trustResult);
[certs release];

if (trustResult == kSecTrustResultRecoverableTrustFailure) {
    NSLog(@"Recoverable Failure");
    CFAbsoluteTime trustTime,currentTime,timeIncrement,newTime;
    CFDateRef newDate;

    trustTime = SecTrustGetVerifyTime(trust);             
    timeIncrement = 31536000;                               
    currentTime = CFAbsoluteTimeGetCurrent();              
    newTime = currentTime - timeIncrement;                  
    if (trustTime - newTime){                               
        newDate = CFDateCreate(NULL, newTime);              
        SecTrustSetVerifyDate(trust, newDate);            
        status = SecTrustEvaluate(trust, &trustResult);   
    }
    NSLog(@"Trust again:%d", trustResult);// AGAIN kSecTrustResultRecoverableTrustFailure(5) over here

}

任何人都知道为什么会这样...... 似乎它不是关于证书的到期（实际上也不是这样），但可能是原因。

谢谢

人

Answer 1

如果

，则会发生

SecTrustResultRecoverableTrustFailure

• 证书是md5哈希（IOS5）
• 服务器不提供根证书和中间证书
• 设置SecTrustSetAnchorCertificatesOnly（trust，YES），锚证书仅在内置锚证书中
• 证书已过期
• ？

我通过配置网络服务器来发送整个证书链而不是仅发送服务器证书来解决我的问题。

通过配置我的apache mod_ssl： https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile