ssl - NSURLSession 的不受信任证书错误不适用于 iOS 10 中的自定义协议(protocol)

Question

我在 NSURLProtocol 中使用 NSURLSession 来捕获一些流量并通过 UIWebView 的代理引导它。当我浏览具有无效证书的 HTTPS 站点时，UIWebView 失败并显示:

Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “revoked.grc.com” which could put your confidential information at risk." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=, NSErrorFailingURLStringKey=, NSErrorPeerCertificateChainKey=( "", "" ), NSErrorClientCertificateStateKey=0, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “revoked.grc.com” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x170255420 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=( "", "" )}}, _kCFStreamErrorCodeKey=-9807}

在 iOS 9 及以下版本中，但在 iOS 10 中会出现以下错误:

Error Domain=kCFErrorDomainCFNetwork Code=310 "There was a problem communicating with the secure web proxy server (HTTPS)." UserInfo={NSErrorFailingURLStringKey=, NSErrorFailingURLKey=, _kCFStreamErrorCodeKey=-2096, _kCFStreamErrorDomainKey=4, NSLocalizedRecoverySuggestion=Please check your proxy settings. For help with this problem, contact your system administrator., NSLocalizedDescription=There was a problem communicating with the secure web proxy server (HTTPS).}

所以在 iOS 10 中，我无法找出通过代理传递的不受信任站点的方式。如果我在 NSURLProtocol(即 NSURLSession)中浏览一个没有代理的无效证书的网站，那么它在 iOS 10 中也能正常工作。

didReceiveChallenge 委托(delegate)方法的实现。

AppDelegate *appDelegate = (AppDelegate *)[UIApplication sharedApplication].delegate;
如果([挑战.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]){
SecTrustRef trust = [[挑战保护空间] serverTrust];
SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, 0);
如果([[appDelegate certStore] containsCertificate:cert]){
completionHandler(NSURLSessionAuthChallengeUseCredential,[NSURLCredential credentialForTrust:trust]);
返回;
}
}
completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);

Answer 1

如果底层请求在 iOS 10 上通过代理访问证书，您将收到错误代码 310。这意味着发出 HTTP 请求以通过以下方式获取证书是不安全的代理人。当 iOS 需要获取或更新中间证书时会发生这种情况，一个独立进程 securityd 发出请求。

您应该通过以下方式使证书请求无需代理:

• 暂时关闭代理
• 或者标记任何以.crt结尾的请求不使用代理

然后您应该获得正确的证书，代码将继续运行。