HTTPS在SSL/TLS上的使用和配置(IIS8和iOS客戶端)

CA證書

1.域名型SSL證書（DV SSL）：信任等級普通，只需驗證網站的真實性便可頒發證書保護網站；一般是免費的

2.企業型SSL證書（OV SSL）：信任等級強，須要驗證企業的身份，審核嚴格，安全性更高；收費的

3.增強型SSL證書（EV SSL）：信任等級最高，一般用于銀行證券等金融機構，審核嚴格，安全性最高，同時可以激活綠色網址欄。收費的，比OV證書貴一些

4.自簽名證書(SelfSigned Cert) :創建的工具有很多。如Mac中的鑰匙串可以創建，IIS的服務器證書可以創建

https://help.aliyun.com/knowledge_detail/42216.html

公鑰（Public Key）與私鑰（PRivate Key）是通過一種算法得到的一個密鑰對（即一個公鑰和一個私鑰），公鑰是密鑰對中公開的部分，私鑰則是非公開的部分。公鑰通常用于加密會話密鑰、驗證數字簽名，或加密可以用相應的私鑰解密的數據。通過這種算法得到的密鑰對能保證在世界范圍內是唯一的。使用這個密鑰對的時候，如果用其中一個密鑰加密一段數據，必須用另一個密鑰解密。比如用公鑰加密數據就必須用私鑰解密，如果用私鑰加密也必須用公鑰解密，否則解密將不會成功。

x509是數字證書的規范，P7和P12是兩種封裝形式。比如說同樣的電影，有的是avi格式，有的是mpg。

SSL/TLS/HTTPS的區別

SSL (Secure Socket Layer) 安全套接層  目前有三個版本1.0, 2.0, 3.0

TLS (Transport Layer Security) 傳輸層安全協議   是SSL的標準化后的產物，目前有1.0, 1.1, 1.2三個版本

HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) 也就是HTTP 加上 SSL/TLS

用于網站HTTPS化的SSL數字證書，當前主要分為DV SSL、OV SSL、EV SSL三種類型的證書。

symantec證書檢測

https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

當你的網站配置了https后，如果在IE瀏覽器提示證書配置錯誤，Chrome瀏覽器提示不安全的連接，那就是因為IIS默認沒有開啟TLS，所以我們需要手動開啟SSL/TLS，具體步驟如下鏈接

https://social.technet.microsoft.com/Forums/forefront/en-US/ec033ff6-091d-441d-8ad3-7ea411100009/ssl-with-256bit-strength

這篇鏈接中最重要的步驟就是

In order to get IIS7 to do 256 bit encryption, we have to ensure the cipher suit that is listed first is the following: TLS_RSA_WITH_AES_256_CBC_SHA

In order to change the Cipher Suite order we can do the following:

- Run gpedit.msc from the command line

- within the Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Network.

- Under Network, select SSL Configuration and then double click on SSL Cipher Suite Order

- By Default the SSL Cipher Suite Order is set to "Not Configured"

- To enable 256-bit encryption, select the "enabled" radio button

- Within the SSL Cipher Suites text box, remove TLS_RSA_WITH_AES_128_CBC_SHA or at least place it behind TLS_RSA_WITH_AES_256_CBC_SHA.

TLS_RSA_WITH_AES_256_CBC_SHA has to be the first cpiher suite listed in order for us to connect with 256-bith encryption.

Once the steps above have been completed, restart the server for the changes to take effect. Now we can browse a page served on the IIS7 server and confirm it is using 256 bit encryption. To do this, right click on the page, select properties and you should see the following:

TLS 1.0, AES with 256 bit encryption (High); RSA with 1024 bit exchange

自簽名證書的創建流程

1. KeyChain：KeyChain access --> Certificate Assistant --> Create a Certificate --> 輸入一個名字和選擇證書類型 --> Create  --> 會生成一個自簽名證書，并且自動加入到了KeyChain

IIS創建自簽名證書，看這里http://jingyan.baidu.com/article/48206aeaa60a65216bd6b353.html

其他的創建方式

1.Free https://letsencrypt.org

2.XCA介紹  http://xca.hohnstaedt.de/    

   下載地址  https://sourceforge.net/projects/xca/files/?source=navbar

3.在www.net.cn申請DV（domain verified）證書

好了，上面的證書搞完了，下面接著iOS客戶端的使用和配置

1.Info.plist的配置如下，此步驟根據情況來定，如果你的項目所有的請求都是HTTPS, 則這個配置不需要，如果你的項目有一些請求是HTTP，則把HTTP請求的域名配置在這里，可以有很多個域名

2.重點看下面，Objective-C代碼

  方法- (void)URLsession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler

   當服務器端配置的是單項認證，則客戶端不需要實現此方法，僅當服務器使用雙向認證時，才需要

#import "ViewController.h"@interface ViewController ()<NSURLSessionDelegate>@end@implementation ViewController- (void)viewDidLoad {    [super viewDidLoad];}- (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event{    NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration defaultSessionConfiguration];        NSURLSession *session = [NSURLSession sessionWithConfiguration:configuration delegate:self delegateQueue:[NSOperationQueue mainQueue]];        NSURL *url = [NSURL URLWithString:@"https://www.domain.com/Home/LoginWithPass"];    NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url];    [request setHTTPMethod:@"POST"];        NSURLSessionDataTask *data = [session dataTaskWithRequest:request completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) {                NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *)response;        NSString *str = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];        NSLog(@"%@ %ld",  str, (long)httpResponse.statusCode);            }];        [data resume];}/*  摘要：適用于自簽名證書，DV,OV,EV類型的證書   作用：1.單向認證(One-way Authentication)        此delegate方法會有一次調用，是NSURLAuthenticationMethodServerTrust      2.雙向認證(Bidirectional Authentication，或者Mutual Authentication，也有Two-way Authentication)        此delegate方法會有兩次調用，分別是NSURLAuthenticationMethodServerTrust和NSURLAuthenticationMethodClientCertificate */- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler{    //證書的處理方式    NSURLSessionAuthChallengeDisposition disposition = NSURLSessionAuthChallengePerformDefaultHandling;        NSURLCredential *credential = nil;        //判斷服務器返回的證書是否是服務器信任的    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { //受信任的                //獲取服務器返回的證書        credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];                if (credential) {            disposition = NSURLSessionAuthChallengeUseCredential;        } else {            disposition = NSURLSessionAuthChallengePerformDefaultHandling;        }            } else {            //讀取證書的私鑰        NSString *thePath = [[NSBundle mainBundle] pathForResource:@"webtest_ssl_Certificates" ofType:@"p12"];        NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:thePath];        CFDataRef inPKCS12Data = (CFDataRef)CFBridgingRetain(PKCS12Data);        SecIdentityRef identity = nil;                //讀取p12證書的私鑰內容        OSStatus result = [self extractP12Data:inPKCS12Data toIdentity:&identity];        if(result != errSecSuccess){            completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);            return;        }                SecCertificateRef certificate = NULL;        SecIdentityCopyCertificate(identity, &certificate);                const void *certs[] = {certificate};        CFArrayRef certArray = CFArrayCreate(kCFAllocatorDefault, certs, 1, NULL);                credential = [NSURLCredential credentialWithIdentity:identity certificates:(NSArray*)CFBridgingRelease(certArray) persistence:NSURLCredentialPersistencePermanent];                disposition = NSURLSessionAuthChallengeUseCredential;    }        //安裝證書(即導入到iPhone的KeyChain)    if (completionHandler) {        completionHandler(disposition, credential);    }}- (OSStatus)extractP12Data:(CFDataRef)inP12Data toIdentity:(SecIdentityRef *)identity {        OSStatus securityError = errSecSuccess;        CFStringRef passWord = CFSTR("Your cert password");    const void *keys[] = { kSecImportExportPassphrase };    const void *values[] = { password };        CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);        CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);    securityError = SecPKCS12Import(inP12Data, options, &items);        if (securityError == errSecSuccess) {        CFDictionaryRef ident = CFArrayGetValueAtIndex(items, 0);        const void *tempIdentity = NULL;        tempIdentity = CFDictionaryGetValue(ident, kSecImportItemIdentity);        *identity = (SecIdentityRef)tempIdentity;    }        if (options) CFRelease(options);    if (password) CFRelease(password);        return securityError;}@end
<script src="https://gist.github.com/VictorZhang2014/1d4903b1c5f260d9cae6a007fb53bebe.js"></script>
好了，就是這么簡單，如果讀者有什么疑問，歡迎評論里回復。