HOWTO make NSURLConnection ignore bad certificates

By Paul Robichaux on June 13, 2008 11:48 AM | 2 Comments

I'm working on a demo application that uses Exchange Web Services from Cocoa, Apple's object-oriented OS framework. Cocoa is a really interesting environment, with a lot of very cool capabilities. One thing it can't do, though, is give your application a way to examine a returned certificate that the framework thinks is bad. The certificate might appear to be bad because it's expired or invalid, or merely because it's self-signed (or issued by another untrusted CA). Because many Exchange servers will have self-signed certificates, the demo app won't work on them without a way to finesse this problem. Because it's just a demo application, I didn't want to require the user to add the self-signed certificate to their certificate trust list, and I didn't want to turn off certificate checking completely (if that's even possible).

The answer, which I found here, is to override a private, unsupported, category method, allowsAnyHTTPSCertificateForHost. Just call it with the FQDN of the host whose certificate errors you want to ignore and you're golden.

2 Comments

Don't use this | January 9, 2010 10:13 AM | Reply

There is a supported API for accomplishing this! Add something like this to your NSURLConnection delegate:

- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
if ([trustedHosts containsObject:challenge.protectionSpace.host])
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];

[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
}

Author Profile Page Paul Robichaux replied to comment from Don't use this | January 10, 2010 12:54 PM | Reply

Coincidentally, I see that Dr. Touch has posted a similar snippet for use on the iPhone. I was looking for it, so it's good that he came up with it. http://www.drobnik.com/touch/2009/11/ignoring-certificate-errors-on-nsurlrequest/

Leave a comment

Search

About this Entry

This page contains a single entry by Paul Robichaux published on June 13, 2008 11:48 AM.

Final Salute (Sheeler) was the previous entry in this blog.

A shout out to Peggy is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Tag Cloud

Pages