I know we can use SecTrustSetAnchorCertificates() given a SecTrustRef. But with CFStreams, we can get the trust object only after the hand shake. One workaround seems to be to disable certificate chain verification on the CFStream using the kCFStreamSSLValidatesCertificateChain property and then get the peer certificates using kCFStreamPropertySSLPeerCertificates, create a trust from those certificates and evaluate the trust ourselves.
But it would be a lot cleaner if we could just tell CFStream to use an array of certs as anchor. Am I hoping for too much?
eskimo1 from Apple Devforums answered this so:
First, disable automatic trust evaluation using kCFStreamSSLValidatesCertificateChain.
Second, once the stream is up and running (I typically do this in my ‘can accept bytes’ or ‘has bytes available’ message handling), get the SecTrust object from the stream using kCFStreamPropertySSLPeerTrust and evaluate that trust for yourself. If the trust evaluation fails, tear down the stream.