问题
Working to update an application I have to iOS5 after reports of it not working with the beta. The problem is tracked down to the fact that our custom SSL certificate verification is no longer working.
In the didReceiveAuthenticationChallenge section, we obtain our root certificates and call SecTrustEvaluate. This works fine on iOS4.
protectionSpace = [challenge protectionSpace];
trust = [protectionSpace serverTrust];
err = SecTrustEvaluate(trust, &trustResult);
trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));
if (!trusted) {
err = SecTrustSetAnchorCertificates(trust, (CFArrayRef)[EagleAccessAppDelegate getDelegate].rootCertificates);
if (err == noErr) {
err = SecTrustEvaluate(trust, &trustResult);
}
trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));
}
if (trusted) {
NSURLCredential *cred = [NSURLCredential credentialForTrust:trust];
[[challenge sender] useCredential:cred forAuthenticationChallenge:challenge];
} else {
[[challenge sender] cancelAuthenticationChallenge:challenge];
}
The certificates are stored in DER format as a resources included with the application.
// Load Certificates.
NSString *devFilePath = [[NSBundle mainBundle] pathForResource:@"ipms-dev-ca.der" ofType:@"crt"];
NSData *devRootCertificate = [[[NSData alloc] initWithContentsOfFile:devFilePath] autorelease];
SecCertificateRef devRoot = SecCertificateCreateWithData(NULL, (CFDataRef) devRootCertificate);
NSString *prodFilePath = [[NSBundle mainBundle] pathForResource:@"ipms-prod-ca.der" ofType:@"crt"];
NSData *prodRootCertificate = [[[NSData alloc] initWithContentsOfFile:prodFilePath] autorelease];
SecCertificateRef prodRoot = SecCertificateCreateWithData(NULL, (CFDataRef) prodRootCertificate);
self.rootCertificates = [[NSArray alloc] initWithObjects:(id)devRoot, (id)prodRoot, nil];
We basically have our own CA certificate which we use to issue certificates for the servers where our app connects to.
I am able to recreate this using the AdvancedURLConnections example application.
回答1:
The issue was the certificate was MD5 signature. These signatures are no longer supported on iOS5.
来源:https://stackoverflow.com/questions/7378271/sectrustevaluate-returns-ksectrustresultrecoverabletrustfailure-on-ios-5