Steps for Configuring Apache HTTPS and iOS HTTPS Request Validation

Previously, the backend team configured HTTPS and directly provided us with the certificate. Today, I will walk through the HTTPS configuration process myself to document the steps.

Apache HTTPS configuration steps

1. Check if the mod_ssl.so file is installed

yum -y install openssl openssl-devel mod_ssl

If it is already installed, you will see a prompt like the one below:

Steps for Configuring Apache HTTPS and iOS HTTPS Request Validation

2. Generate the certificate and key

openssl genrsa 1024 > server.key

Note: This generates a key using 128-bit RSA algorithm, resulting in the server.key file.

Step 2: Generate the certificate request file

Command: openssl req -new -key server.key > server.csr

Note: This generates the certificate request file server.csr using the key from step 1. This step may prompt many questions, so input them step by step.

Step 3: Generate the certificate

Command: openssl req -x509 -days 365 -key server.key -in server.csr > server.crt

Note: This generates the certificate server.crt using the key and certificate request from steps 1 and 2. The -days parameter specifies the certificate’s validity period in days.

3 Configure Apache

Configure the Apache file path based on the system (httpd.confhttpd-ssl.conf)

Modify httpd.conf

Step 1: Open the SSL module and remove the # or add the following statement:

LoadModule ssl_module modules/mod_ssl.so

Step 2: Include the SSL configuration file based on the system installation path. If you have this httpd-ssl.conf, include it; if you only have ssl.conf, you do not need to add the following statement:

Include /apache/conf/httpd-ssl.conf

Modify /etc/httpd/conf.d/ssl.conf

#LoadModule ssl_module modules/mod_ssl.so

<VirtualHost _default_:443>

DocumentRoot “/var/www/html”

ServerName domain:443

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

LogLevel warn

SSLEngine on

SSLProtocol TLSv1 TLSv1.1 TLSv1.2

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4

SSLCertificateFile cert/public.pem

#SSLCertificateFile /etc/httpd/cert/ca.crt

#SSLCertificateKeyFile etc/httpd/cert/214005424610942.key

SSLCertificateKeyFile cert/214005424610942.key

#SSLCertificateKeyFile /etc/httpd/cert/ca.key

#SSLCertificateChainFile /etc/httpd/cert/chain.pem

SSLCertificateChainFile cert/chain.pem

4 Restart Apache

service httpd restart

5 Check the port

netstat -anp

0.0.0.0:443

If access is denied, it may be due to the firewall blocking it.

iptables -I INPUT -p TCP –dport 443 -j ACCEPT

https://domain

iOS port HTTPS authentication

If you are using a paid or third-party free CA authorized certificate, just throw it to the server configuration. Theoretically, the iOS client only needs to change the address to the HTTPS address to adapt successfully. However, it is still advisable to make some configurations to ensure everything is foolproof.

If the project uses AFNetworking, you can accomplish this with just a few lines of code.

NSString *urlString = @”https://www.in2016.cn/index.php/users/ceshi”;

AFHTTPSessionManager *manager = [AFHTTPSessionManager manager];

AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey];

[securityPolicy setAllowInvalidCertificates:YES];

[securityPolicy setValidatesDomainName:YES];

manager.securityPolicy = securityPolicy;

manager.responseSerializer = [AFHTTPResponseSerializer serializer];

[manager GET:urlString

parameters:nil

progress:nil

success:^(NSURLSessionDataTask * _Nonnull task, id _Nullable responseObject) {

NSDictionary * dic = [NSJSONSerialization JSONObjectWithData:responseObject options:NSJSONReadingMutableLeaves error:nil];

NSLog(“OK === %@”,dic);

NSString *htmlString = [[NSString alloc]initWithData:responseObject encoding:NSUTF8StringEncoding];

NSLog(“%@”,htmlString);

} failure:^(NSURLSessionDataTask * _Nullable task, NSError * _Nonnull error) {

NSLog(“error ==%@”,error.description);

}];

Using a self-signed certificate (the backend will provide you with a crt certificate to export a cer file)

Or export the certificate using the command openssl s_client -connect domain:443/dev/null| openssl x509 -outform DER >client.cer

NSString *urlString = @”https://domain”;

AFHTTPSessionManager *manager = [AFHTTPSessionManager manager];

AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey];

[securityPolicy setAllowInvalidCertificates:YES];

[securityPolicy setValidatesDomainName:YES];

manager.securityPolicy = securityPolicy;

// Specify the file

// NSData *certData = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@”client” ofType:@”cer”]];

// NSSet *cerSet = [NSSet setWithObject:certData];

// if(certData){

// [securityPolicy setPinnedCertificates:cerSet];

// }

// allowInvalidCertificates Whether to allow invalid certificates (i.e., self-signed certificates), default isNO

// If you need to validate self-signed certificates, set it to YES

// securityPolicy.allowInvalidCertificates = YES;

//validatesDomainName Whether to validate the domain name, default isYES;

//If the domain name on the certificate does not match the requested domain name, set this to NO; if set to NO, the server can also establish a connection using a certificate issued by another trusted authority, which is very dangerous, so it is recommended to keep it enabled.

//Setting it to NO is mainly used in cases where the client requests a subdomain, while the certificate is for another domain. Since the domain on the SSL certificate is independent, if the registered domain on the certificate is www.google.com, then mail.google.com cannot be validated; of course, if you have the money, you can register a wildcard domain *.google.com, but that is still quite expensive.

//If set to NO, it is recommended to add corresponding domain validation logic.

//securityPolicy.validatesDomainName = NO;

manager.responseSerializer = [AFHTTPResponseSerializer serializer];

[manager GET:urlString

parameters:nil

progress:nil

success:^(NSURLSessionDataTask * _Nonnull task, id _Nullable responseObject) {

NSDictionary * array = [NSJSONSerialization JSONObjectWithData:responseObject options:NSJSONReadingMutableLeaves error:nil];

NSLog(“OK === %@”,array);

NSString *htmlString = [[NSString alloc]initWithData:responseObject encoding:NSUTF8StringEncoding];

NSLog(“%@”,htmlString);

} failure:^(NSURLSessionDataTask * _Nullable task, NSError * _Nonnull error) {

NSLog(“error ==%@”,error.description);

}];

Check HTTPS using MAC

nscurl –ats-diagnostics –verbose https://www.in2016.cn/index.php/users/ceshi

Starting ATS Diagnostics

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://www.in2016.cn/index.php/users/ceshi.

A test will “PASS” if URLSession:task:didCompleteWithError: returns a nil error.

================================================================================

Default ATS Secure Connection

ATS Default Connection

ATS Dictionary:

{

}

Result : PASS

================================================================================

Allowing Arbitrary Loads

Allow All Loads

ATS Dictionary:

{

NSAllowsArbitraryLoads = true;

}

Result : PASS

================================================================================

Configuring TLS exceptions for www.in2016.cn

TLSv1.2

ATS Dictionary:

{

NSExceptionDomains = {

“www.in2016.cn” = {

NSExceptionMinimumTLSVersion = “TLSv1.2”;

};

};

}

Result : PASS

TLSv1.1

ATS Dictionary:

{

NSExceptionDomains = {

“www.in2016.cn” = {

NSExceptionMinimumTLSVersion = “TLSv1.1”;

};

};

}

Result : PASS

TLSv1.0

ATS Dictionary:

{

NSExceptionDomains = {

“www.in2016.cn” = {

NSExceptionMinimumTLSVersion = “TLSv1.0”;

};

};

}

Result : PASS

================================================================================

Configuring PFS exceptions for www.in2016.cn

Disabling Perfect Forward Secrecy

ATS Dictionary:

{

NSExceptionDomains = {

“www.in2016.cn” = {

NSExceptionRequiresForwardSecrecy = false;

};

};

}

Result : PASS

================================================================================

Configuring PFS exceptions and allowing insecure HTTP for www.in2016.cn

Disabling Perfect Forward Secrecy and Allowing Insecure HTTP

ATS Dictionary:

{

NSExceptionDomains = {

“www.in2016.cn” = {

NSExceptionAllowsInsecureHTTPLoads = true;

NSExceptionRequiresForwardSecrecy = false;

};

};

}

Result : PASS

================================================================================

Configuring TLS exceptions with PFS disabled for www.in2016.cn

TLSv1.2 with PFS disabled

ATS Dictionary:

{

NSExceptionDomains = {

“www.in2016.cn” = {

NSExceptionMinimumTLSVersion = “TLSv1.2”;

NSExceptionRequiresForwardSecrecy = false;

};

};

}

Result : PASS

TLSv1.1 with PFS disabled

ATS Dictionary:

{

NSExceptionDomains = {

“www.in2016.cn” = {

NSExceptionMinimumTLSVersion = “TLSv1.1”;

NSExceptionRequiresForwardSecrecy = false;

};

};

}

Result : PASS

TLSv1.0 with PFS disabled

ATS Dictionary:

{

NSExceptionDomains = {

“www.in2016.cn” = {

NSExceptionMinimumTLSVersion = “TLSv1.0”;

NSExceptionRequiresForwardSecrecy = false;

};

};

}

Result : PASS

================================================================================

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for www.in2016.cn

TLSv1.2 with PFS disabled and insecure HTTP allowed

ATS Dictionary:

{

NSExceptionDomains = {

“www.in2016.cn” = {

NSExceptionAllowsInsecureHTTPLoads = true;

NSExceptionMinimumTLSVersion = “TLSv1.2”;

NSExceptionRequiresForwardSecrecy = false;

};

};

}

Result : PASS

TLSv1.1 with PFS disabled and insecure HTTP allowed

ATS Dictionary:

{

NSExceptionDomains = {

“www.in2016.cn” = {

NSExceptionAllowsInsecureHTTPLoads = true;

NSExceptionMinimumTLSVersion = “TLSv1.1”;

NSExceptionRequiresForwardSecrecy = false;

};

};

}

Result : PASS

TLSv1.0 with PFS disabled and insecure HTTP allowed

ATS Dictionary:

{

NSExceptionDomains = {

“www.in2016.cn” = {

NSExceptionAllowsInsecureHTTPLoads = true;

NSExceptionMinimumTLSVersion = “TLSv1.0”;

NSExceptionRequiresForwardSecrecy = false;

};

};

}

Result : PASS

================================================================================

MacBook-Pro:~ snow$

Based on the above information, configure the plist file

NSAppTransportSecurity YES

NSExceptionDomains

www.in2016.cn

NSIncludesSubdomains

NSExceptionRequiresForwardSecrecy

NSExceptionAllowsInsecureHTTPLoads

Related posts

  1. Detailed Explanation of the Differences Between HTTP and HTTPS Protocols
  2. Apache HttpClient: A Bridge for Java Network Connections
  3. Linus Torvalds Critiques the AI Hype: ‘90% is Marketing, 10% is Reality.’
  4. 4 Updates for HTTP Performance Optimization in Go 1.22
  5. Exploring Apache HttpClient: A Java Request Adventure
  6. How to Access and Configure Router.ctc
  7. What are the Differences Between HTTP/1.0 and HTTP/2.0?
  8. Simple Deployment of an HTTP File Server on a Local Area Network
  9. HTTP Response Compression in Go: Implementing Gzip Middleware with Adaptive Compression Strategy
  10. Vol.03 HTTP and SOCKET
  11. The Emerging Red Ocean of Smart Home: How Can New Players Forge a New Path?
  12. Understanding HTTPS and SSL/TLS Protocols
  13. Quick Start Guide to Pytest Testing Framework in 5 Minutes
  14. Programming Continuous Control Programs for Siemens S7-1200 PLC
  15. Huawei Comic Science Popularization | What is DSP?
  16. Water Quality Detection Based on ESP8266 (MQTT Reporting Mini Program and HA)
  17. Common MCU Products with DAC
  18. In-Car Displays | A New Concept for Automotive Touch Interaction
  19. Enterprise-Level Python Application Architecture Design and Best Practices

Leave a Comment