I use code that does basic HTTP authentication, see below. This works fine in IOS 5. But now we changed the protocol to https and we used a fake, self signed, certificate. It also worked! This seems insecure. Does anybody know if you need to do something in this method to prevent certain certificates to be accepted?
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:
(NSURLAuthenticationChallenge *)challenge {
if ([challenge previousFailureCount] <= maxRetryCount ) {
NSURLCredential *newCredential =
[NSURLCredential
credentialWithUser: userName
password:password
persistence:NSURLCredentialPersistenceForSession];
[[challenge sender]
useCredential:newCredential
forAuthenticationChallenge:challenge];
}
else
{
NSLog(@"Failure count %d",[challenge previousFailureCount]);
}
}
It looks I found the answer myself. This blocks the invalid certificates.
Still have to test if it works when logging in with a valid certificate.