问题描述
我正在尝试弄清楚在使用Security.Framework验证证书时证书的撤销时的iOS政策。
我在iOS的文档中找不到相关信息。
在我正在进行的iPad项目的上下文中,有理由要求检查某些证书的撤销状态。有关如何使用Security.Framework在证书验证期间强制CRL / OCSP检查的任何想法?或者我是否需要回退到OpenSSL才能实现这一目标?
I'm trying to figure out what iOS' policy is when verifying certificates using Security.Framework regarding revocation of certificates.I cannot find information about this in the docs for iOS.In the context of an iPad project I'm working on at the moment, there is reason to demand checking revocation status for some certs. Anyone ideas on how to force CRL / OCSP checking during cert verification using Security.Framework? Or do I need to "fall back" to OpenSSL to accomplish this?
似乎在Mac OS X 10.6 CRL / OCSP检查也是可选的,必须是通过Keychain Access手动打开。
It seems that also on Mac OS X 10.6 CRL / OCSP checks are done optionally and have to be turned on manually through Keychain Access.
Martijn
推荐答案
我有苹果公司回答这个问题,我在这里发布了完整的答案:
I have an answer to this question by Apple guys, I posted the full answer here:
总结一下,iOS上的OCSP实现需要注意以下几点:
To sum it up, there are several things to keep in mind for OCSP implementation on iOS:
- 此时无法配置OCSP政策
- 仅适用于EV证书
- 高级内容,例如NSURLConnection或UIWebView使用TL使用OCSP的安全策略
- SecTrustEvaluate是阻止网络操作
- 它是最佳尝试 - 如果无法联系OCSP服务器,信任评估不会失败
- OCSP policy cannot be configured at this moment
- it works for the EV certificates only
- high-level stuff, such as NSURLConnection or UIWebView use TLS security policy, which uses OCSP
- SecTrustEvaluate is a blocking network operation
- it works the "best attempt" - if OCSP server cannot be contacted, the trust evaluation will not fail
这篇关于iOS / Security.Framework的CRL和OCSP行为?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!