支持 SSL / TLS 的 Objective-C TCP 服务器

【问题标题】:Objective-C TCP Server with SSL / TLS support支持 SSL / TLS 的 Objective-C TCP 服务器
【发布时间】:2013-10-25 12:46:05
【问题描述】:

我有一个简单的 TCP 服务器/客户端设置。这种连接实际上效果很好。

现在我想为套接字连接实现 SSL / TLS 加密。我使用钥匙串访问创建了一个 PKCS12 证书。在我的服务器中,我在接受回调中有以下代码:

NSString *certificatePath = [[NSBundle mainBundle] pathForResource:@"TCPServerCertificate" ofType:@"p12"];
NSData *certificateData = [NSData dataWithContentsOfFile:certificatePath];

CFArrayRef keyRef;
OSStatus status = SecPKCS12Import((__bridge CFDataRef)certificateData, (__bridge CFDictionaryRef)@{(__bridge NSString *)kSecImportExportPassphrase: @"1234"}, &keyRef);

if (status != noErr) {
    NSLog(@"PKCS12 import error %i", status);
    return;
}

CFDictionaryRef identityDict = CFArrayGetValueAtIndex(keyRef, 0);
SecIdentityRef identityRef = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);

SecCertificateRef certificate;
status = SecIdentityCopyCertificate(identityRef, &certificate);

if (status != noErr) {
    NSLog(@"sec identity copy failed: %i", status);
    return;
}

NSArray *certificates = [NSArray arrayWithObjects:(__bridge id)identityRef, (__bridge id)certificate, nil];

NSDictionary *settings = @{(NSString *)kCFStreamPropertyShouldCloseNativeSocket:    [NSNumber numberWithBool:YES],
                           (NSString *)kCFStreamSSLValidatesCertificateChain:       [NSNumber numberWithBool:YES],
                           (NSString *)kCFStreamSSLAllowsExpiredCertificates:       [NSNumber numberWithBool:NO],
                           (NSString *)kCFStreamSSLAllowsExpiredRoots:              [NSNumber numberWithBool:NO],
                           (NSString *)kCFStreamSSLAllowsAnyRoot:                   [NSNumber numberWithBool:YES],
                           (NSString *)kCFStreamSSLCertificates:                    certificates,
                           (NSString *)kCFStreamSSLIsServer:                        [NSNumber numberWithBool:YES],
                           (NSString *)kCFStreamSSLLevel:                           (NSString *)kCFStreamSocketSecurityLevelTLSv1};

CFReadStreamSetProperty(readStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);
CFWriteStreamSetProperty(writeStream, kCFStreamPropertySSLSettings, (CFTypeRef)settings);

然后我创建流的NSStream 实例并在另一个类中处理它们。

当我运行服务器并连接客户端时,我的委托中得到了常规的NSStreamEventOpenCompleted。如果我只是关闭连接,然后尝试写入流或事件,我会收到以下错误:

2013-10-25 13:27:08.584 TCPServer[6435:303] CFNetwork SSLHandshake failed (-9800)
2013-10-25 13:27:08.584 TCPServer[6435:303] NSStreamEventOpenCompleted
2013-10-25 13:27:08.585 TCPServer[6435:303] NSStreamEventErrorOccurred

我想知道我必须在客户端实现什么。另外我想知道为什么在发送数据或从客户端断开连接时握手失败。每当发生此错误时,客户端都会认为它仍然处于连接状态。

是否有任何好的 TCP SSL/TLS 教程或其他涵盖客户端和服务器端的材料?

【问题讨论】:

  • 您是否在连接的两端使用相同的代码?如果是这样,那么看起来您正在将连接两侧的 kCFStreamSSLIsServer 属性设置为 YES
  • 我现在不在办公室。但这可能是对的。然后我应该删除kCFStreamSSLIsServer吗?
  • 我认为您希望保留这行代码 - 在作为服务器的连接一侧,保持原样。但在客户端,您需要将此值设置为字典中的NO
  • 抱歉,我现在不确定。我做了几个 TCP 测试和 edu 项目……但我认为你应该试一试,当你为此苦苦挣扎时。

标签: objective-c sockets ssl tcp nsstream


【解决方案1】:

这段代码有一些问题: 您不能使用 kCFStreamPropertySSLSettings 设置 kCFStreamPropertyShouldCloseNativeSocket,并且您不应混合使用服务器和客户端代码。

对于服务器,你应该只设置一个证书

CFReadStreamSetProperty(read, kCFStreamPropertyShouldCloseNativeSocket, kCFBooleanTrue);
CFWriteStreamSetProperty(write, kCFStreamPropertyShouldCloseNativeSocket, kCFBooleanTrue);
//kCFStreamPropertySocketSecurityLevel
//Note: If you set this key, you must do so before setting any other SSL options, such as kCFStreamPropertySSLSettings.
CFReadStreamSetProperty(read, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelNegotiatedSSL);
CFWriteStreamSetProperty(write, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelNegotiatedSSL);
//Creating server dictionnary

//kCFStreamSSLIsServer
//If the value of this key is kCFBooleanTrue, the kCFStreamSSLCertificates key must contain a valid value

//kCFStreamSSLCertificates
//Security property key whose value is a CFArray of SecCertificateRefs except for the first element in the array, which is a SecIdentityRef.
//For more information, see SSLSetCertificate() in Security/SecureTransport.h.

NSDictionary *settings = @{(id)kCFStreamSSLCertificates:                    certificates,
                           (id)kCFStreamSSLIsServer:                        @YES};


//Apply settings
CFReadStreamSetProperty(read, kCFStreamPropertySSLSettings, (__bridge CFDictionaryRef)(settings));
CFWriteStreamSetProperty(write, kCFStreamPropertySSLSettings, (__bridge CFDictionaryRef)(settings));

对于客户端,如果您想覆盖验证链 (See Apple doc on overriding chain validation),您应该执行以下操作:

CFReadStreamSetProperty(read, kCFStreamPropertyShouldCloseNativeSocket, kCFBooleanTrue);
CFWriteStreamSetProperty(write, kCFStreamPropertyShouldCloseNativeSocket, kCFBooleanTrue);
//kCFStreamPropertySocketSecurityLevel
//Note: If you set this key, you must do so before setting any other SSL options, such as kCFStreamPropertySSLSettings.

CFReadStreamSetProperty(read, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelNegotiatedSSL);
CFWriteStreamSetProperty(write, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelNegotiatedSSL);

//DO NOT USE kCFStreamPropertySSLContext as it overrides the following configuration
//create dictionnary for kCFStreamPropertySSLSettings

//keys for dictionnary we want to change:kCFStreamSSLAllowsExpiredCertificates;kCFStreamSSLAllowsExpiredRoots;kCFStreamSSLAllowsAnyRoot;
//kCFStreamSSLValidatesCertificateChain => no need to worry about the root
//kCFStreamSSLPeerName kCFNull prevents name verification


settings = @{(id)kCFStreamSSLValidatesCertificateChain: @NO,//The delegate will verify this
             (id)kCFStreamSSLPeerName: (id)kCFNull};//prevents name verification if server is not fixed (eg. IP)

//Apply settings
CFReadStreamSetProperty(read, kCFStreamPropertySSLSettings, (__bridge CFDictionaryRef)(settings));
CFWriteStreamSetProperty(write, kCFStreamPropertySSLSettings, (__bridge CFDictionaryRef)(settings));

【讨论】:

  • 你能解释一下为什么我必须设置kCFStreamPropertyShouldCloseNativeSocket吗?
  • kCFStreamPropertyShouldCloseNativeSocket 将在对象生命周期结束时关闭连接。否则,您必须手动关闭本机套接字。
  • 感谢您当时的帮助。你让我启动并运行,即使用于防止链验证的属性已被弃用/替换。让我们在 7 年后回答一个后续问题:D 我想强制执行 TLS,但似乎又回到了 SSL。 kCFStreamSocketSecurityLevelTLSv1 导致 SSL 协议错误...您有快速提示吗?
【解决方案2】:

我刚刚创建了一个包,它通过新的 iOS 13 限制使 TLS/TCP 更容易。希望它可以帮助某人!随意贡献:

https://github.com/eamonwhiter73/IOSObjCWebSockets

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2014-06-12
    • 2022-01-03
    • 2018-08-23
    • 2021-06-27
    • 2020-05-27
    • 1970-01-01
    • 2023-04-01
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode