HOWTO make NSURLConnection ignore bad certificates

I’m working on a demo application that uses Exchange Web Services from Cocoa, Apple’s object-oriented OS framework. Cocoa is a really interesting environment, with a lot of very cool capabilities. One thing it can’t do, though, is give your application a way to examine a returned certificate that the framework thinks is bad. The certificate might appear to be bad because it’s expired or invalid, or merely because it’s self-signed (or issued by another untrusted CA). Because many Exchange servers will have self-signed certificates, the demo app won’t work on them without a way to finesse this problem. Because it’s just a demo application, I didn’t want to require the user to add the self-signed certificate to their certificate trust list, and I didn’t want to turn off certificate checking completely (if that’s even possible).

The answer, which I found here, is to override a private, unsupported, category method, allowsAnyHTTPSCertificateForHost. Just call it with the FQDN of the host whose certificate errors you want to ignore and you’re golden.

Advertisements

2 Comments

Filed under General Tech Stuff

2 responses to “HOWTO make NSURLConnection ignore bad certificates

  1. Don't use this

    There is a supported API for accomplishing this! Add something like this to your NSURLConnection delegate:
    – (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
    return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
    }
    – (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
    if ([trustedHosts containsObject:challenge.protectionSpace.host])
    [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
    [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
    }

  2. Coincidentally, I see that Dr. Touch has posted a similar snippet for use on the iPhone. I was looking for it, so it’s good that he came up with it. http://www.drobnik.com/touch/2009/11/ignoring-certificate-errors-on-nsurlrequest/