I want my application / server not to communicate with a MITM attack, so I am trying to configure SSL encryption, but I am having problems working with AFNetworking 2.2 using a self-signed certificate. I think this is basically a problem with the way I generate the certificate.
First I tried to create a self-signed certificate according to these instructions :
Creating a private key:
sudo openssl genrsa -des3 -out server.key 2048
Creating a signature request and using a domain name when requesting for a common name:
sudo openssl req -new -key server.key -out server.csr
Certificate creation:
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Finally, converting it to a format der(since AFNetworking requires it )
sudo openssl x509 -outform der -in server.crt -out server.der
Ubuntu 12.04, ngninx + , Rails 4. nginx SSL:
server {
listen 80;
listen 443;
server_name myapp.com;
passenger_enabled on;
root /var/www/myapp/current/public;
rails_env production;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
}
nginx, der, "server.cer" ( AFNetworking , .cer, SSL AFHTTPSessionManager:
client.securityPolicy = [AFSecurityPolicy
policyWithPinningMode:AFSSLPinningModeCertificate];
, AFNetworking , " AFServerTrustIsValid:
static BOOL AFServerTrustIsValid(SecTrustRef serverTrust) {
SecTrustResultType result = 0;
OSStatus status = SecTrustEvaluate(serverTrust, &result);
NSCAssert(status == errSecSuccess, @"SecTrustEvaluate error: %ld", (long int)status);
return (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed);
}
, , kSecTrustResultRecoverableTrustFailure.
AFServerTrustIsValid, allowInvalidCertificates YES , . , .
, SO . openssl.cnf :
[ req ]
default_md = sha1
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = United Kingdon
countryName_default = UK
countryName_min = 2
countryName_max = 2
localityName = Locality
localityName_default = London
organizationName = Organization
organizationName_default = Eric Organization
commonName = Common Name
commonName_max = 64
[ certauth ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
crlDistributionPoints = @crl
[ server ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server
subjectAltName = DNS:myapp.com
crlDistributionPoints = @crl
[ crl ]
URI=http://testca.local/ca.crl
. CA:
sudo openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer
:
sudo openssl genrsa -out server.key 2048
:
sudo openssl req -config ./openssl.cnf -new -key server.key -out server.req
:
sudo openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.cer
, der:
sudo openssl x509 -outform der -in server.cer -out stopcastapp.com.der
nginx, server.der ( server.cer reset Simulator), .
kSecTrustResultRecoverableTrustFailure .
? , , , ? , - ( ). !