iOS MQTT链接-双向认证 亲测可用
双向认证方法:
让后台生成 ca.crt 和 client.p12文件(client.p12文件由client.crt和client.key合成) 我使用的是服务自签证书
使用命令行把ca.crt转化为ca.der格式
openssl x509 -in ca.crt -out ca.der -outform derclient.crt,client.key合并成p12文件
openssl pkcs12 -export -in client.crt -inkey client.key -out certificate.p12 -name "certificate"
如果服务给的证书是 pem 文件
openssl x509 -in ca.pem -out ca.der -outform deropenssl pkcs12 -export -in client-crt.pem -inkey client-key.pem -out certificate.p12 -name "certificate"
MQTTClient中的的session的双向认证方法:
MQTTSSLSecurityPolicyTransport *transport = [[MQTTSSLSecurityPolicyTransport alloc] init];
transport.host = @"127.0.0.1";
transport.port = 1884;
transport.tls = YES;
NSString *ca = [[NSBundle mainBundle] pathForResource:@"ca" ofType:@"der"]; // 必须是der 格式
NSString *client = [[NSBundle mainBundle] pathForResource:@"certificate" ofType:@"p12"];//注意不可以用client命名,否则无法获取到文件路径
transport.certificates = [MQTTSSLSecurityPolicyTransport clientCertsFromP12:client passphrase:@"password"];
MQTTSSLSecurityPolicy *securityPolicy = [MQTTSSLSecurityPolicy policyWithPinningMode:MQTTSSLPinningModeCertificate];
securityPolicy.allowInvalidCertificates = YES;
securityPolicy.validatesDomainName = NO;
securityPolicy.validatesCertificateChain = NO;
securityPolicy.pinnedCertificates = @[[NSData dataWithContentsOfFile:ca]];
transport.securityPolicy = securityPolicy;
MQTTSession *session = [[MQTTSession alloc] init];
session.transport = transport;
session.certificates = nil; // 注意:这双向认证时必须置空,不然会报9824错误
session.securityPolicy = nil; // 不是必须的
session.delegate = self;
session.willFlag = YES;
session.userName = @"userName";
session.password = @"password";
session.willQoS = MQTTQosLevelAtLeastOnce;
session.willRetainFlag = NO;
session.cleanSessionFlag = YES;
session.willTopic = @"/app/lastwill" ;
NSDictionary *dic = @{@"subject":@"disconnect"};
NSData *data1 = [NSJSONSerialization dataWithJSONObject:dic options:NSJSONWritingPrettyPrinted error:nil];
session.willMsg = data1;
session.clientId = @"ssid";
[session connect];