HTTPS在SSL/TLS上的使用和配置(IIS8和iOS客户端)

HTTPS在SSL/TLS上的使用和配置(IIS8和iOS客户端)

CA证书

1.域名型SSL证书（DV SSL）：信任等级普通，只需验证网站的真实性便可颁发证书保护网站；一般是免费的

2.企业型SSL证书（OV SSL）：信任等级强，须要验证企业的身份，审核严格，安全性更高；收费的

3.增强型SSL证书（EV SSL）：信任等级最高，一般用于银行证券等金融机构，审核严格，安全性最高，同时可以激活绿色网址栏。收费的，比OV证书贵一些

4.自签名证书(SelfSigned Cert) :创建的工具有很多。如Mac中的钥匙串可以创建，IIS的服务器证书可以创建

https://help.aliyun.com/knowledge_detail/42216.html

公钥（Public Key）与私钥（PRivate Key）是通过一种算法得到的一个密钥对（即一个公钥和一个私钥），公钥是密钥对中公开的部分，私钥则是非公开的部分。公钥通常用于加密会话密钥、验证数字签名，或加密可以用相应的私钥解密的数据。通过这种算法得到的密钥对能保证在世界范围内是唯一的。使用这个密钥对的时候，如果用其中一个密钥加密一段数据，必须用另一个密钥解密。比如用公钥加密数据就必须用私钥解密，如果用私钥加密也必须用公钥解密，否则解密将不会成功。

x509是数字证书的规范，P7和P12是两种封装形式。比如说同样的电影，有的是avi格式，有的是mpg。

SSL/TLS/HTTPS的区别

SSL (Secure Socket Layer) 安全套接层  目前有三个版本1.0, 2.0, 3.0

TLS (Transport Layer Security) 传输层安全协议   是SSL的标准化后的产物，目前有1.0, 1.1, 1.2三个版本

HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) 也就是HTTP 加上 SSL/TLS

用于网站HTTPS化的SSL数字证书，当前主要分为DV SSL、OV SSL、EV SSL三种类型的证书。

symantec证书检测

https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

当你的网站配置了https后，如果在IE浏览器提示证书配置错误，Chrome浏览器提示不安全的连接，那就是因为IIS默认没有开启TLS，所以我们需要手动开启SSL/TLS，具体步骤如下链接

https://social.technet.microsoft.com/Forums/forefront/en-US/ec033ff6-091d-441d-8ad3-7ea411100009/ssl-with-256bit-strength

这篇链接中最重要的步骤就是

In order to get IIS7 to do 256 bit encryption, we have to ensure the cipher suit that is listed first is the following: TLS_RSA_WITH_AES_256_CBC_SHA

In order to change the Cipher Suite order we can do the following:

- Run gpedit.msc from the command line

- within the Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Network.

- Under Network, select SSL Configuration and then double click on SSL Cipher Suite Order

- By Default the SSL Cipher Suite Order is set to "Not Configured"

- To enable 256-bit encryption, select the "enabled" radio button

- Within the SSL Cipher Suites text box, remove TLS_RSA_WITH_AES_128_CBC_SHA or at least place it behind TLS_RSA_WITH_AES_256_CBC_SHA.

TLS_RSA_WITH_AES_256_CBC_SHA has to be the first cpiher suite listed in order for us to connect with 256-bith encryption.

Once the steps above have been completed, restart the server for the changes to take effect. Now we can browse a page served on the IIS7 server and confirm it is using 256 bit encryption. To do this, right click on the page, select properties and you should see the following:

TLS 1.0, AES with 256 bit encryption (High); RSA with 1024 bit exchange

自签名证书的创建流程

1. KeyChain：KeyChain access --> Certificate Assistant --> Create a Certificate --> 输入一个名字和选择证书类型 --> Create  --> 会生成一个自签名证书，并且自动加入到了KeyChain

IIS创建自签名证书，看这里http://jingyan.baidu.com/article/48206aeaa60a65216bd6b353.html

其他的创建方式

1.Free https://letsencrypt.org

2.XCA介绍  http://xca.hohnstaedt.de/    

   下载地址  https://sourceforge.net/projects/xca/files/?source=navbar

3.在www.net.cn申请DV（domain verified）证书

好了，上面的证书搞完了，下面接着iOS客户端的使用和配置

1.Info.plist的配置如下，此步骤根据情况来定，如果你的项目所有的请求都是HTTPS, 则这个配置不需要，如果你的项目有一些请求是HTTP，则把HTTP请求的域名配置在这里，可以有很多个域名

2.重点看下面，Objective-C代码

  方法- (void)URLsession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler

   当服务器端配置的是单项认证，则客户端不需要实现此方法，仅当服务器使用双向认证时，才需要

#import "ViewController.h"@interface ViewController ()<NSURLSessionDelegate>@end@implementation ViewController- (void)viewDidLoad {    [super viewDidLoad];}- (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event{    NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration defaultSessionConfiguration];        NSURLSession *session = [NSURLSession sessionWithConfiguration:configuration delegate:self delegateQueue:[NSOperationQueue mainQueue]];        NSURL *url = [NSURL URLWithString:@"https://www.domain.com/Home/LoginWithPass"];    NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url];    [request setHTTPMethod:@"POST"];        NSURLSessionDataTask *data = [session dataTaskWithRequest:request completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) {                NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *)response;        NSString *str = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];        NSLog(@"%@ %ld",  str, (long)httpResponse.statusCode);            }];        [data resume];}/*  摘要：适用于自签名证书，DV,OV,EV类型的证书   作用：1.单向认证(One-way Authentication)        此delegate方法会有一次调用，是NSURLAuthenticationMethodServerTrust      2.双向认证(Bidirectional Authentication，或者Mutual Authentication，也有Two-way Authentication)        此delegate方法会有两次调用，分别是NSURLAuthenticationMethodServerTrust和NSURLAuthenticationMethodClientCertificate */- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler{    //证书的处理方式    NSURLSessionAuthChallengeDisposition disposition = NSURLSessionAuthChallengePerformDefaultHandling;        NSURLCredential *credential = nil;        //判断服务器返回的证书是否是服务器信任的    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { //受信任的                //获取服务器返回的证书        credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];                if (credential) {            disposition = NSURLSessionAuthChallengeUseCredential;        } else {            disposition = NSURLSessionAuthChallengePerformDefaultHandling;        }            } else {            //读取证书的私钥        NSString *thePath = [[NSBundle mainBundle] pathForResource:@"webtest_ssl_Certificates" ofType:@"p12"];        NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:thePath];        CFDataRef inPKCS12Data = (CFDataRef)CFBridgingRetain(PKCS12Data);        SecIdentityRef identity = nil;                //读取p12证书的私钥内容        OSStatus result = [self extractP12Data:inPKCS12Data toIdentity:&identity];        if(result != errSecSuccess){            completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);            return;        }                SecCertificateRef certificate = NULL;        SecIdentityCopyCertificate(identity, &certificate);                const void *certs[] = {certificate};        CFArrayRef certArray = CFArrayCreate(kCFAllocatorDefault, certs, 1, NULL);                credential = [NSURLCredential credentialWithIdentity:identity certificates:(NSArray*)CFBridgingRelease(certArray) persistence:NSURLCredentialPersistencePermanent];                disposition = NSURLSessionAuthChallengeUseCredential;    }        //安装证书(即导入到iPhone的KeyChain)    if (completionHandler) {        completionHandler(disposition, credential);    }}- (OSStatus)extractP12Data:(CFDataRef)inP12Data toIdentity:(SecIdentityRef *)identity {        OSStatus securityError = errSecSuccess;        CFStringRef passWord = CFSTR("Your cert password");    const void *keys[] = { kSecImportExportPassphrase };    const void *values[] = { password };        CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);        CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);    securityError = SecPKCS12Import(inP12Data, options, &items);        if (securityError == errSecSuccess) {        CFDictionaryRef ident = CFArrayGetValueAtIndex(items, 0);        const void *tempIdentity = NULL;        tempIdentity = CFDictionaryGetValue(ident, kSecImportItemIdentity);        *identity = (SecIdentityRef)tempIdentity;    }        if (options) CFRelease(options);    if (password) CFRelease(password);        return securityError;}@end
<script src="https://gist.github.com/VictorZhang2014/1d4903b1c5f260d9cae6a007fb53bebe.js"></script>
好了，就是这么简单，如果读者有什么疑问，欢迎评论里回复。