I’m working on a demo application that uses Exchange Web Services from Cocoa, Apple’s object-oriented OS framework. Cocoa is a really interesting environment, with a lot of very cool capabilities. One thing it can’t do, though, is give your application a way to examine a returned certificate that the framework thinks is bad. The certificate might appear to be bad because it’s expired or invalid, or merely because it’s self-signed (or issued by another untrusted CA). Because many Exchange servers will have self-signed certificates, the demo app won’t work on them without a way to finesse this problem. Because it’s just a demo application, I didn’t want to require the user to add the self-signed certificate to their certificate trust list, and I didn’t want to turn off certificate checking completely (if that’s even possible).
The answer, which I found here, is to override a private, unsupported, category method, allowsAnyHTTPSCertificateForHost. Just call it with the FQDN of the host whose certificate errors you want to ignore and you’re golden.
Paul's Down-Home Page 
There is a supported API for accomplishing this! Add something like this to your NSURLConnection delegate:
– (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}
– (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
if ([trustedHosts containsObject:challenge.protectionSpace.host])
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
}
Coincidentally, I see that Dr. Touch has posted a similar snippet for use on the iPhone. I was looking for it, so it’s good that he came up with it. http://www.drobnik.com/touch/2009/11/ignoring-certificate-errors-on-nsurlrequest/