• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Explain NSURLAuthenticationMethodServerTrust to me?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Explain NSURLAuthenticationMethodServerTrust to me?

  • Subject: Explain NSURLAuthenticationMethodServerTrust to me?
  • From: Jens Alfke <email@hidden>
  • Date: Tue, 17 Jul 2012 13:22:18 -0700
I understand most of the authentication methods supported by NSURLProtectionSpace. But I don't understand
NSURLAuthenticationMethodServerTrust, even after reading through what documentation I could find. It's been showing up in -
connection:willSendRequestForAuthenticationChallenge: delegate calls, and I don't know what to do with it.

Specifically, this is an HTTPS connection (regular server-side cert, no client cert) using HTTP Basic auth.

My delegate is called as expected with a challenge whose protection space uses NSURLAuthenticationMethodHTTPBasic, and I look up a credential to return. But with some servers (I haven't reproduced this yet, but users have) it's also getting called with the ServerTrust auth method. My code doesn't know what to do with this so it logs a warning and calls -continueWithoutCredentialForAuthenticationChallenge:. The connection seems to continue OK, but I'm wondering why this call occurs and if there's anything special I should do with it.

Here's my best guess: It sounds like this method differs from the others in that it's authenticating the _server_ to the client. So it gives the client a chance to examine the server's SSL certificate and decide whether it trusts it. The default appears to be to trust it. Is that accurate? This could also explain why I've started getting this call — for complicated reasons I've started appending a "." to the hostname, i.e. "example.com." instead of "example.com". This is valid hostname syntax, but the host name comparison that SecureTransport does may be confused by it and think the server cert doesn't match its hostname. In that case it sounds like it's pretty important to handle this auth method properly, else the connection is vulnerable to MITM attacks. Amirite?

—Jens
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Prev by Date: Re: How to check what DNS server OS X is using to resolve a given name?
  • Next by Date: Re: Explain NSURLAuthenticationMethodServerTrust to me?
  • Previous by thread: Re: How to check what DNS server OS X is using to resolve a given name?
  • Next by thread: Re: Explain NSURLAuthenticationMethodServerTrust to me?
  • Index(es):
    • Date
    • Thread