Re: NSURLConnection and self-signed certs?
Re: NSURLConnection and self-signed certs?
- Subject: Re: NSURLConnection and self-signed certs?
- From: Wade Tregaskis <email@hidden>
- Date: Mon, 14 Jun 2004 11:45:17 +1000
Thanks for the pointers, I looked at SecureTransport and tried to
compile the "SSLSample" from the Apple developer site (it fails saying
there's one error, but there are no errors shown in Xcode's Errors &
Warnings list only a single warning about an OSStatus type variable
possibly being used uninitialized in setCipherRestrictions).
Looking at the code, it also seems to be at a lower-level than I was
hoping for. Presuming that this is also somewhere underneath
NSURLConnection, then I'd like to be able to just call or access the
"SSLSetAllowsAnyRoot" function or the setting it flips, as you
suggest.
There is the undocumented setAllowsAnyHTTPSCertificate class method on
NSURLRequest. It has the form shown below. It might do what you want,
although it seems to be a global setting, so be careful with it. :)
+ (void)setAllowsAnyHTTPSCertificate:(BOOL)allowAny forHost:(id)host;
// Don't know what the last parameter is... NSHost perhaps?
Also, the actual class which is used for HTTPS appears to be the
undocumented NSCFNetworkHTTPURLProtocol. It has a whole host of
potential methods on it, such as those shown below. I haven't played
with any, however, so for a lot of them it's a bit of pot luck whether
they work or not.
+ (int)_certificatePolicy;
+ (void)_setCertificatePolicy:(int)fp8;
+ (BOOL)_supportsCertificatePolicy:(int)fp8;
I can't find anything else anywhere in Foundation. There's no actual
references to SecureTransport anywhere, as in instance variables
holding the necessary session reference. This doesn't mean it's not
there (it may be associated with some object, in some property list,
whatever), but it does make it trickier. It's possible the NSURL HTTPS
stuff does things manually, some other way... although I very much
doubt it.
I also realize that it is of course preferred to only access sites
with validly signed/trusted certificates, but a) in practice, we don't
always have that option with sites that are out there and b) even
without the valid cert, those sites still provide encryption of the
data in transit (yes?).
Yes. I gather the key point of all this is to encrypt your
communications, even if the other side is untrustworthy? If that is
the case, then it is valid, I suppose, to try to do what you want.
However, presumably there is some method of your own you use for
authenticating remote clients... if so, then perhaps you could move the
encryption stuff up a level to your own protocol, rather than trying to
bend HTTPS to your will.
Wade Tregaskis (aim: wadetregaskis)
-- Sed quis custodiet ipsos custodes?
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.