01/11: Self-Signed Certificates
Category: General | Posted by: JohnHaselden
If you're talking to a server or service over HTTPS. This isn't a problem for servers where the SSL certificate have been signed by a trusted authority, but on occasion, these certificates are self-signed. By default all browsers complain if a certificate has not been signed by a trusted authority and the iPhone is no different. This is a little tricky when an application is communicating with a server as you don't want to be asking the user whether or not they want to continue with the request as you just want to get on with it.
The method I am going to describe allows you to accept the self-signed certificate without adding a 'pem' file to the keychain and uses the CoreServices Framework.
First up, we have to create a CFHTTPMessageRef reference using the CFHTTPMessageCreateRequest from CoreServices.
Next up, we need to grab the stream for this request of type CFReadStreamRef.
Now, with for this stream, we need to tell the iPhone to not bother if presented with a self-signed certificate.
And there we go. Essentially we're telling the CFReadStreamRef we do not want the certificate chain validated. We also have the option of using kCFStreamSSLAllowsExpiredCertificates for allowing expired certificates through, kCFStreamSSLAllowsExpiredRoots to do the same for expired roots and KCFStreamSSLCertificates to add in a certificate of your own. For more details, check out the "CFStream Socket Additions" documentation.
The method I am going to describe allows you to accept the self-signed certificate without adding a 'pem' file to the keychain and uses the CoreServices Framework.
First up, we have to create a CFHTTPMessageRef reference using the CFHTTPMessageCreateRequest from CoreServices.
CFHTTPMessageRef request = CFHTTPMessageCreateRequest(
kCFAllocatorDefault,
CFSTR("POST"),
(CFURLRef) [NSURL URLWithString:@"https://--your site url--/"],
kCFHTTPVersion1_1);
Next up, we need to grab the stream for this request of type CFReadStreamRef.
CFReadStreamRef stream = CFReadStreamCreateForHTTPRequest(kCFAllocatorDefault, request);
Now, with for this stream, we need to tell the iPhone to not bother if presented with a self-signed certificate.
CFMutableDictionaryRef securityDictRef = CFDictionaryCreateMutable(kCFAllocatorDefault,
0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (securityDictRef != nil) {
CFDictionarySetValue(securityDictRef, kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse);
CFReadStreamSetProperty(stream, kCFStreamPropertySLLSettings, securityDictRef);
CFRelease(securityDictRef);
}
And there we go. Essentially we're telling the CFReadStreamRef we do not want the certificate chain validated. We also have the option of using kCFStreamSSLAllowsExpiredCertificates for allowing expired certificates through, kCFStreamSSLAllowsExpiredRoots to do the same for expired roots and KCFStreamSSLCertificates to add in a certificate of your own. For more details, check out the "CFStream Socket Additions" documentation.
Martin from Hamburg wrote: