background
From 2017, Google’s Chrome browser will also mark sites that use HTTP as “insecure”; Apple will mandate HTTPS for iOS apps from 2017; Small programs that are booming in China also require HTTPS requests.
1: What is HTTPS
Let’s talk about HTTP before WE talk about HTTPS. HTTP is a protocol that we use when we browse the web. Data transmitted through HTTP is unencrypted, that is, plain text. Therefore, privacy information transmitted through HTTP is insecure. To ensure that these private data can be encrypted for transmission, the Secure Sockets Layer (SSL) protocol is used to encrypt data transmitted over HTTP, thus giving birth to HTTPS. SSL 3.0 was upgraded and TLS (Transport Layer Security) was introduced. The Protocol Transport Security Layer (TLS) must be at least version 1.2.
2: HTTPS principle
Check out this resource: HTTPS Handshake Process. It introduces the one-way two-way encryption process and the difference between them.
3: What certificates meet the requirements?
The first is to create a certificate request, then to the authority authentication, then configure the server;
The second type is a self-created certificate, which needs to be configured to the server.
Look at the document description:
These are the App Transport Security requirements:
The protocol Transport Security Layer (TLS) must be at least version 1.2.
Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)
Certificates must use at least an SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256 bit or greater Elliptic-Curve (ECC) key.
The TLS 1.2 protocol must be used. The encryption method of connection should be Forward Secrecy. The document lists the supported encryption algorithms (as shown in the following table). Finally, the certificate must use at least one SHA256 fingerprint and any RSA key of 2048-bit or higher, or ECC key of 256-bit or higher. If one of them is not met, the request is interrupted and nil is returned.
Transport Security Protocol Layer (TLS) must be at least version 1.2: see Google’s certificate information below.
The encryption mode must be Foward Secrecy. The following encryption modes support Forward Secrecy:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Note The validity of the certificate. IOS requires that the HTTPS site to be connected must be a valid certificate signed by the CA.
Look at some examples of unqualified certificates:
AFN can be set up for this with allowInvalidCertificates
AllowInvalidCertificates Specifies whether invalid certificates (self-created certificates) are allowed. The default value is NO. // If self-created certificates need to be verified, set this parameter to YES
We can use the command to verify the validity of the certificate.
This one down here is all Fail
Look at a valid certificate:
4: Self-built certificate process
// The first step is to prepare public and private keys for the server and client
Generate server-side private key
openssl genrsa -outserver.key1024
Generate the server side public key
openssl rsa -inserver.key -pubout -outserver.pem
// Step 2: Generate the CA certificate
Generate the CA private key
openssl genrsa -outca.key1024
# X.509 Certificate Signing Request (CSR) Management.
openssl req -new-key ca.key -outca.csr
# X.509 Certificate Data Management.
openssl x509 -req -inca.csr -signkey ca.key -outca.crt
// Step 3, generate the server certificate
The server needs to apply for a signature certificate from the CA. Before applying for a signature certificate, it still needs to create its own CSR file
openssl req -new -key server.key-outserver.csr
The signature process requires the CA certificate and private key to participate in. Finally, a certificate with the CA signature is issued
openssl x509 -req -CA ca.crt-CAkeyca.key-CAcreateserial-inserver.csr-outserver.cr
Step 4: Generate a CER file
Use OpenSSL for conversion
openssl x509 -inserver.crt-outserver.cer-outform der
Look it up if you’re not familiar with the above commands. Or look at the picture below.
You can use the command to see some of the things you generate, usually under /Users/ own name ls look at the list as follows:
5: Configure the certificate to the server
The server I built with XAMPP machine is shown as follows:
Note: low version of the Mac OS system, Mysql may not be able to start automatically, and need to start up with the command: sudo/Applications/XAMPP/xamppfiles/bin/Mysql serverstart
CRT and server.key. Since SSL is enabled on my server by default, I’ll just change the certificate path.
Let’s look at the results in the browser
Google is more strict to see below:
The above is the process of self-built certificate can play by yourself.
6: Create a certificate request, then authenticate to the authority, and then configure to the server
Since our server already has, I give the background to have no response, did not give me, I will get the command by myself. We can use the following openssl command to obtain the public binary certificate of the server.
openssl s_client -connect www.example.com.cn:443 /dev/null | openssl x509 -outform DER > https.cer
7:iOS client adaptation
Unidirectional authentication SSL does not require the client to have a CA certificate, but removes the process of authenticating the client certificate on the server. Two-way authentication this situation requires that both the server and the user have certificates.
[self.sessionManagersetSecurityPolicy:[NKNetWorkCentercustomSecurityPolicy]];
+ (AFSecurityPolicy*)customSecurityPolicy
{
// import the certificate first
NSString*cerPath = [[NSBundlemainBundle]pathForResource:@”https”ofType:@”cer”]; // Path to the certificate
NSData*certData = [NSDatadataWithContentsOfFile:cerPath];
/ / AFSSLPinningModeCertificate use certificate authentication mode
AFSecurityPolicy*securityPolicy = [AFSecurityPolicypolicyWithPinningMode:AFSSLPinningModeCertificate];
// allowInvalidCertificates Whether invalid certificates (i.e., self-built certificates) are allowed. Default is NO
// If the self-created certificate needs to be verified, set this parameter to YES
securityPolicy.allowInvalidCertificates=YES;
//validatesDomainName Specifies whether to validate the domain name. The default value is YES.
// If the domain name of the certificate does not match the domain name you requested, set this parameter to NO; If this parameter is set to NO, the server can establish connections using certificates issued by other trusted organizations. This is very dangerous. You are advised to enable this parameter.
// Set this parameter to NO, which is mainly used when the client requests a subdomain name and the certificate contains a different domain name. Because the domain name on the SSL certificate is independent, if the domain name registered on the certificate is www.google.com, mail.google.com cannot be verified. Of course, if you have the money, you can register the wildcard domain *.google.com, but it’s still expensive.
// If set to NO, you are advised to add the verification logic of the corresponding domain name.
securityPolicy.validatesDomainName=NO;
securityPolicy.pinnedCertificates=@[certData];
returnsecurityPolicy;
}
Here are the results of catching a bag with a vase
8: Processing of some third-party HTTP requests
Or they upgrade. Or add it to the ATS whitelist.