• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [MacNetwork] Verifying Certificates ... on the iPhone?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MacNetwork] Verifying Certificates ... on the iPhone?

  • Subject: Re: [MacNetwork] Verifying Certificates ... on the iPhone?
  • From: Quinn <email@hidden>
  • Date: Wed, 16 Dec 2009 15:49:33 +0000
Alex

At 16:22 +0100 16/12/09, Alexander von Below wrote:
as I believe that the real network pros are still here and not on the iPhone Forums, I dare to ask this question here.

That's fine. While renaming the mailing list is tricky, I'm happy to tackle iPhone stuff here.

Now the question is: Do I have any way to verify the certificate, or at least read the Common Name on the iPhone?

Well, the default TLS security policy should be sufficient, but if you want to get involved in this process you can do so (on iPhone OS 3.0 and later, and Mac OS X 10.6) by implementing the -connection:canAuthenticateAgainstProtectionSpace: and -connection:didReceiveAuthenticationChallenge: delegate callbacks, looking for an NSURLAuthenticationMethodServerTrust authentication method.

To do this:

1. Implement the -connection:canAuthenticateAgainstProtectionSpace: delegate callback.

2. In your implementation, if the authentication method of the protection space is NSURLAuthenticationMethodServerTrust, you have two choices:

2a. Return NO, and let the default TLS algorithm kick in.

2b. Return YES, in which case your -connection:didReceiveAuthenticationChallenge: delegate callback will be called.

If you want to look at the certificates before you make that decision, you can call -serverTrust on the protection space object to get a trust object, and then use the SecTrust API to get the certificate chain.

3. If you take path 2b, your -connection:didReceiveAuthenticationChallenge: delegate callback will be called. You have two choices:

3a. Disallow the connection by calling -cancelAuthenticationChallenge: on the challenge's sender.

3b. Allow the connection by calling -useCredential:forAuthenticationChallenge:
on the challenge's sender. To get a credential, call -[NSURLCredential initWithTrust:]. It doesn't actually matter what trust object you pass in here; the one from the protection space will do.

You don't have to do this synchronously. You can just latch the challeng and return from your delegate callback and then resolve the challenge at some point in the future.

You can use a similar technique to get involved in client identity choice.

S+E
--
Quinn "The Eskimo!"                    <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden






References: 


 >[MacNetwork] Verifying Certificates ... on the iPhone? (From: Alexander von Below <email@hidden>)






    

  • Prev by Date:
[MacNetwork] Verifying Certificates ... on the iPhone?

    • 

  • Next by Date:
Re: Trying to send data to PC

    • 

  • Previous by thread:
[MacNetwork] Verifying Certificates ... on the iPhone?

    • 

  • Next by thread:
Re: Macnetworkprog Digest, Vol 6, Issue 197

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •