How to create iOS NWConnection for TLS with self signed cert?

问题:

I'm trying to use Apple's new NWConnection class for my MQTT client. For testing, I need to be able to create a TLS connection to my local test broker, which has a self signed cert.

So far, I'm just setting up the connection using:

self.connection = NWConnection(host: NWEndpoint.Host("172.16.202.172"), port: NWEndpoint.Port(integerLiteral: 8899), using: .tls) 

But when I connect, I get the following spewage on my console:

2019-01-30 17:05:51.010580-0800 myAp[2591:608137] [] nw_socket_handle_socket_event [C4.1:1] Socket SO_ERROR [54: Connection reset by peer] 2019-01-30 17:05:57.939157-0800 myApp[2591:608135] [BoringSSL] boringssl_context_alert_callback_handler(3724) [C5:1][0x103e087d0] Alert level: fatal, description: certificate unknown 2019-01-30 17:05:57.939382-0800 myApp[2591:608135] [BoringSSL] boringssl_context_error_print(3676) boringssl ctx 0x282226af0: 4360838776:error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-109.230.1/ssl/handshake.cc:360: 2019-01-30 17:05:57.939510-0800 myApp[2591:608135] [BoringSSL] boringssl_context_get_error_code(3560) [C5:1][0x103e087d0] SSL_AD_CERTIFICATE_UNKNOWN 

In the past, when I've used URLSession.shared.dataTask to download a file from an nginx https server, I've added the following to my info.plist

<dict>     <key>App Transport Security Settings</key>     <dict>         <key>NSExceptionDomains</key>         <dict>             <key>172.16.202.172</key>             <dict>                 <key>NSIncludesSubdomains</key>                 <true/>                 <key>NSTemporaryExceptionsAllowsInsecureHTTPSLoads</key>                 <true/>             </dict>         </dict>     </dict> </dict> 

But that doesn't seem to have done the trick in this case. When I click on Apple's documentation links for things like NWParameter to pass in place of the stock .tls, thinking I could tune the xls settings, there's just no info in the Apple docs.

So what is the right way to create a NWConnection for TLS communication using self signed certs?

回答1:

I am not sure if this is the complete/best answer, but I found this approach on the Apple Developer forums:

func createTLSParameters(allowInsecure: Bool, queue: DispatchQueue) -> NWParameters {     let options = NWProtocolTLS.Options()     sec_protocol_options_set_verify_block(options.securityProtocolOptions, { (sec_protocol_metadata, sec_trust, sec_protocol_verify_complete) in         let trust = sec_trust_copy_ref(sec_trust).takeRetainedValue()         var error: CFError?         if SecTrustEvaluateWithError(trust, &error) {             sec_protocol_verify_complete(true)         } else {             if allowInsecure == true {                 sec_protocol_verify_complete(true)             } else {                 sec_protocol_verify_complete(false)             }         }     }, queue)     return NWParameters(tls: options) }  self.workQueue = DispatchQueue(label: "mqtt") self.connection = NWConnection(     host: NWEndpoint.Host("172.16.202.172"),     port: NWEndpoint.Port(integerLiteral: 8899),     using: createTLSParameters(allowInsecure: true, queue: self.workQueue)) 

Using this technique, I didn't need the info.plist change at all.

There's some indication on said forum that it is preferrable to pull the self signed cert into your iOS box somehow.

文章来源: How to create iOS NWConnection for TLS with self signed cert?