ios 为什么某些 iphone 应用程序无法与 Charles Proxy 完成 ssl 握手?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31633021/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why some iphone apps won't finish ssl handshake with Charles Proxy?
提问by Grant Brown
I am using Charles Proxy to see all of the traffic that is coming out of my iphone. I have the ssl certificate/profile installed on my iphone and I can see a lot of the traffic that is ssl encrypted. However, some applications seem to not finish the ssl handshake.
我正在使用 Charles Proxy 查看从我的 iphone 流出的所有流量。我在我的 iphone 上安装了 ssl 证书/配置文件,我可以看到很多 ssl 加密的流量。但是,有些应用程序似乎没有完成 ssl 握手。
The error is: "SSLHandshake: Remote host closed connection during handshake" and then Charles Proxy suggests to configure the application to trust the Charles Root Certificate. I thought I did when I installed the profile onto my iphone?
错误是:“SSLHandshake:握手期间远程主机关闭连接”,然后 Charles Proxy 建议将应用程序配置为信任 Charles Root 证书。当我将配置文件安装到我的 iphone 时,我以为我做到了?
Any explanation of this/way to fix it?
对此/解决方法的任何解释?
采纳答案by Steffen Ullrich
There are applications which don't simply expect the certificate signed one of the trusted CA's on the system, but which expect a single specific certificate or a certificate containing a specific public key. This is called certificate/public key pinning. For this application it will not work if you configure the CA of Charles Proxy as trusted on the system because they will not use this CA.
有些应用程序不仅期望证书由系统上受信任的 CA 之一签署,而且还期望单个特定证书或包含特定公钥的证书。这称为证书/公钥固定。对于此应用程序,如果您在系统上将 Charles 代理的 CA 配置为受信任,则它将不起作用,因为它们不会使用此 CA。
Any explanation of this/way to fix it?
对此/解决方法的任何解释?
If the application is built to only trust a single certificate/public key and never trust something just because it is signed by a locally trusted CA, then you would need the original certificate and its private key to do the SSL interception. Since you don't have these there is no way to do the SSL interception.
如果应用程序构建为仅信任单个证书/公钥并且从不信任某些东西,因为它是由本地受信任的 CA 签名的,那么您将需要原始证书及其私钥来进行 SSL 拦截。由于您没有这些,因此无法进行 SSL 拦截。
回答by Neil Sarkar
Yes, SSL pinning is a possibility. Although as of iOS 10.3, you must take an additional step to trust the Charles Root Certificate that is not currently documented on their websiteedit: this info is now under iOS Devices here: https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/
是的,SSL 固定是可能的。尽管从 iOS 10.3 开始,您必须采取额外的步骤来信任当前未在其网站上记录的 Charles Root 证书编辑:此信息现在位于 iOS 设备下:https: //www.charlesproxy.com/documentation/using -查尔斯/ SSL证书/
Settings > General > About > Certificate Trust Testings
Source: https://www.neglectedpotential.com/2017/04/trusting-custom-root-certificates-on-ios-10-3/
来源:https: //www.neglectedpotential.com/2017/04/trusting-custom-root-certificates-on-ios-10-3/
