Home/ Questions/Q 7594211
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T21:21:32+00:00

This is a question that seems to be floating around all over the place,

  • 0

This is a question that seems to be floating around all over the place, but so far I haven’t been able to find a definite answer.

I’m tasked with writing an iPhone application for my company. My company has an SSL-encrypted website with a self-signed certificate. This website is used very frequently, and my employer would like for the site to be easily accessible on an iPhone. My app’s function is to provide a method of storing the credentials used to access the site, and when the user opens the app, it automatically sends the stored credentials to the site and skips the login dialog to go straight into the site.

I’ve set up my app to use a UIWebView and load a request for the site. I’ve set up the usual authentication methods, such as:

- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {...}
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {...}

When my app reaches the part of the code where I tell the UIWebView to load the NSURLRequest, it doesn’t encounter any of my authentication methods. It jumps straight to didFailLoadWithError and the error tells me that I’m connecting to a site that may only be pretending to be my site because it has a self-signed certificate.

How do I get around this? I’ve found a few answers involving the NSURLConnection methods, but those methods don’t appear to be called before I reach the error and am forced to stop loading the page. I’ve also found some answers involving overriding “undocumented” methods, but when I try implementing that solution my web view never reaches either “didFailLoadWithError” or “didFinishLoad” and never displays any content.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The UIWebKit delegate doesn’t forward through any of the NSURLConnection delegate methods to your app. One way to get around this would be to load the page using NSURLConnection and then push it into the UIWebView using -loadData:MIMEType:textEncodingName:baseURL:. Once you’ve done that you’ve verified the first page, which (as long as your site doesn’t have links off of it), should stay safe. So, how do we verify a self-signed certificate?

    I had to solve this with an OSX App a little earlier this year and, once I figured out what I was doing, it was pretty straightforward, assuming you have a similar setup. The solution I propose here actually verifies the server certificate (although in my case I was using a private CA, so I added the CA certificate to the trust root, instead of the server certificate, it should work just as well with that).

    You’ll need to add tests for NSURLAuthenticationMethodServerTrust to both the -connection:canAuthenticateAgainstProtectionSpace: and -connection:didReceiveAuthenticationChallenge: methods so that you can both request interest in and process the Security challenge.

    Hope this helps.

    -(BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
{
    // ... implement any other authentication here, such as your client side certificates or user name/password

    if ([[protectionSpace authenticationMethod] isEqualToString: NSURLAuthenticationMethodServerTrust])
        return YES;
    return NO;
}

-(void)connection:(NSURLConnection *)aConnection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
    NSURLProtectionSpace *protectionSpace = challenge.protectionSpace;

            // implement your client side auth here for NSURLAuthenticationMethodHTTPDigest or basic or your client-side cert

    if ([[protectionSpace authenticationMethod] isEqualToString: NSURLAuthenticationMethodServerTrust]) {
        // install our private certificates or CAs
        NSString *myCAString = @"<string containing your CA cert>";

        SecCertificateRef certRef = SecCertificateCreateWithData ( NULL, (CFDataRef)[NSData dataFromBase64String: myCAString]);
        NSArray *anchorArray = [NSArray arrayWithObject: (NSObject*)certRef];
        SecTrustSetAnchorCertificates( challenge.protectionSpace.serverTrust, (CFArrayRef) anchorArray);

        SecTrustResultType trustResultType;
        OSStatus err=SecTrustEvaluate(challenge.protectionSpace.serverTrust, &trustResultType);

        if ((!err) && (trustResultType == kSecTrustResultProceed || trustResultType == kSecTrustResultConfirm || trustResultType == kSecTrustResultUnspecified)) {
            [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
        } else {
            CFArrayRef certChain=NULL;
            CSSM_TP_APPLE_EVIDENCE_INFO *statusChain;
            SecTrustGetResult( challenge.protectionSpace.serverTrust, &trustResultType, &certChain, &statusChain);
            [challenge.sender cancelAuthenticationChallenge:challenge];
        }

    } else {
        // Cancel if we don't know what it is about... this is supposed to be secure
        [challenge.sender cancelAuthenticationChallenge:challenge];
    }
}
    • 0