For ios https connection, the proper way to trust self signed server certificate is to install the root CA certificate (which signs the server certificate) to device profile using MDM or iPhone configuration tool, in that way, the self-signed root certificate will be used by all ios applications on device, and it is handled transparently to the application logic.
Note, simple accept and trust the self-signed certificate on a https web page from Mobile Safari is not enough, as that will only let Safaria accepts the self-signed certificate, and does not install the certificate into device profile, so the other applications will still not trust this self-signed certificate, and fails to establish the https connection with it.
As another option, if a self signed certificate only needs to be trusted by a single application, and you have the full control of the implementation of this application, that is, the application does not use other third party library to establish https network connection, then you can also include a copy of the root certificate into the application bundle and then call
In addition, if you handle the self-signed certificate by your application, you can get the server certificate and its root certificate information from challenge.protectionSpace.serverTrust object by calling the below code. This information can be used to prompt users to decide whether to trust this self signed certificate or not.
Note, simple accept and trust the self-signed certificate on a https web page from Mobile Safari is not enough, as that will only let Safaria accepts the self-signed certificate, and does not install the certificate into device profile, so the other applications will still not trust this self-signed certificate, and fails to establish the https connection with it.
As another option, if a self signed certificate only needs to be trusted by a single application, and you have the full control of the implementation of this application, that is, the application does not use other third party library to establish https network connection, then you can also include a copy of the root certificate into the application bundle and then call
SecCertificateCreateWithData
and SecTrustSetAnchorCertificates
to trust the self-signed certificate. Note usually you will want to trust both the build-in device root CAs and the self-signed root CA, if so, you should also call SecTrustSetAnchorCertificatesOnly with false parameter, so that both of them will be evaluated by a single call to SecTrustEvaluate.In addition, if you handle the self-signed certificate by your application, you can get the server certificate and its root certificate information from challenge.protectionSpace.serverTrust object by calling the below code. This information can be used to prompt users to decide whether to trust this self signed certificate or not.
SecTrustRef trust = challenge.protectionSpace.serverTrust;
long certCount = SecTrustGetCertificateCount(trust);
for (int certIndex = 0; certIndex < certCount; certIndex++) {
SecCertificateRef thisCertificate;
thisCertificate = SecTrustGetCertificateAtIndex(trust, certIndex);
NSString* summary = (__bridge NSString *)(SecCertificateCopySubjectSummary ( thisCertificate ));
NSLog(@"%@", summary);
//get DER representation of the certificate data and parse it with openssl library
//... parse the certificate data with OpenSSL library
//... prompt user with the certificate information
CFRelease(cerData);
}
No comments:
Post a Comment