I have the following questions about using self-signed certificates for https:
1. According to the information read online, self-signed certificates require the client to import the certificate and then verify the certificate. If the certificate is not verified, what are the risks and problems of directly using the sent credentials for communication?
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
//1)获取trust object
SecTrustRef trust = challenge.protectionSpace.serverTrust;
NSURLCredential *cred = [NSURLCredential credentialForTrust:trust];
[challenge.sender useCredential:cred forAuthenticationChallenge:challenge];
}I often see a piece of code like this on the Internet. How do you think this code is verified?
NSURLSessionAuthChallengeDisposition disposition = NSURLSessionAuthChallengePerformDefaultHandling;
__block NSURLCredential *credential = nil;
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
disposition = NSURLSessionAuthChallengeUseCredential;
credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
} else {
disposition = NSURLSessionAuthChallengePerformDefaultHandling;
}
if (completionHandler) {
completionHandler(disposition, credential);
}
曾经蜡笔没有小新2017-05-02 09:40:04
1. Direct requests without verifying the certificate are problematic.
2. The other side first determines whether the certificate server is trustworthy, and then handles the certificate accordingly. See iOS HTTPs for details.