I’m working on a demo application that uses Exchange Web Services from Cocoa, Apple’s object-oriented OS framework. Cocoa is a really interesting environment, with a lot of very cool capabilities. One thing it can’t do, though, is give your application a way to examine a returned certificate that the framework thinks is bad. The certificate might appear to be bad because it’s expired or invalid, or merely because it’s self-signed (or issued by another untrusted CA). Because many Exchange servers will have self-signed certificates, the demo app won’t work on them without a way to finesse this problem. Because it’s just a demo application, I didn’t want to require the user to add the self-signed certificate to their certificate trust list, and I didn’t want to turn off certificate checking completely (if that’s even possible).
The answer, which I found here, is to override a private, unsupported, category method, allowsAnyHTTPSCertificateForHost. Just call it with the FQDN of the host whose certificate errors you want to ignore and you’re golden.