...下面是Asp.net中使用的代码sn-p
您提供的代码表明您不执行任何服务器验证。你接受了一切,甚至是来自坏人的伪造证书(攻击者感谢你):
System.Net.ServicePointManager.ServerCertificateValidationCallback =
delegate(Object sender2, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{ return true; };
我不知道如何在 Objective C for IOS 中实现这一点......
您需要使用NSURLConnectionDelegate 并提供-connection:didReceiveAuthenticationChallenge: 的实现。
OWASP 有一些示例代码来执行公钥固定。 OWASP 代码与您的代码相反。 OWASP 代码可确保您始终与预期的主机对话(而不是与您的代码一样使用证书回答的任何主机)。见Certificate and Public Key Pinning。
至少,OWASP 代码会向您展示证书验证中的一些活动部分。
这里有一些 C# 代码加载单个 CA,然后使用单个 CA 验证链:How to verify chain in RemoteCertificateValidationCallback?。这可能是您应该如何在 ASP.net 中执行 ServerCertificateValidationCallback 的方式。它不要求您在任何商店中安装 CA。而且它避免了 CA Zoo(数百个 CA,任何人都可以认证服务器)。
您需要获得 CA 才能使用 Merchantlink。任何试图声称自己是 Merchantlink 或 Merchanlink 的 CA 的人都会导致失败。这是一件好事,因为它会成为一个坏人。
发现 CA 并将其用于验证:
$ openssl s_client -connect www.merchantlink.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. -
For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
...
从上面,您需要使用 Verisign 的 Class 3 CA。所以去Use of Root Certificates,下载Root 3, VeriSign Class 3 Primary CA - G5。
使用正确的 root,您将不会从 OpenSSL 收到验证错误(注意使用 -CAfile PCA-3G5.pem):
$ openssl s_client -connect www.merchantlink.com:443 -CAfile PCA-3G5.pem
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 2578637, C = US, postalCode = 10017, ST = New York, L = New York, street = 270 Park Avenue, O = "Chase Paymentech Solutions, LLC.", OU = Enterprise Web Architecture, CN = www.merchantlink.com
verify return:1
---
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2578637/C=US/postalCode=10017/ST=New York/L=New York/street=270 Park Avenue/O=Chase Paymentech Solutions, LLC./OU=Enterprise Web Architecture/CN=www.merchantlink.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
...
Start Time: 1397396657
Timeout : 300 (sec)
Verify return code: 0 (ok)
...