对于https 使用自签名证书,我有如下几个疑问:
1.网上看的资料对于自签名证书都需要在客户端倒入证书,然后验证证书的,如果不验证证书,直接使用发过来的发过来的凭证进行通信有什么风险和问题?
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { //1)获取trust object SecTrustRef trust = challenge.protectionSpace.serverTrust; NSURLCredential *cred = [NSURLCredential credentialForTrust:trust]; [challenge.sender useCredential:cred forAuthenticationChallenge:challenge]; }
我经常在网上看到这样一段代码,你觉得这段代码是怎样验证的?
NSURLSessionAuthChallengeDisposition disposition = NSURLSessionAuthChallengePerformDefaultHandling; __block NSURLCredential *credential = nil; if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { disposition = NSURLSessionAuthChallengeUseCredential; credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]; } else { disposition = NSURLSessionAuthChallengePerformDefaultHandling; } if (completionHandler) { completionHandler(disposition, credential); }
1、不验证证书,直接请求都是有问题的哦
2、那边是先判断其证书服务器是否可信任的,然后再对证书做出相应的的处理方式。具体的可看 iOS HTTPs。