Ignoring certificate errors with NSURLConnection
Solution 1:
You could simply ignore the invalid certificate if you are not sending any sensitive information. This article describes how you could do that. Here is an example implementation by Alexandre Colucci for one of the methods described in that article.
Essentially you want to define a dummy interface just above the @implementation
:
@interface NSURLRequest (DummyInterface)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString*)host;
+ (void)setAllowsAnyHTTPSCertificate:(BOOL)allow forHost:(NSString*)host;
@end
And before you call sendSynchronousRequest
, invoke the private method you defined in the dummy interface:
[NSURLRequest setAllowsAnyHTTPSCertificate:YES forHost:[URL host]];
Solution 2:
The correct (non deprecated, non private) way using the new:
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
method that apple has specified should be used for NSURLConnectionDelegates is to respond to the ServerTrust method with the credential that was provided for the protection space (this will allow you to connect:
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
{
NSLog(@"Ignoring SSL");
SecTrustRef trust = challenge.protectionSpace.serverTrust;
NSURLCredential *cred;
cred = [NSURLCredential credentialForTrust:trust];
[challenge.sender useCredential:cred forAuthenticationChallenge:challenge];
return;
}
// Provide your regular login credential if needed...
}
This method gets called multiple times once for each available authentication method, if you don't want to login using that method use:
[challenge.sender rejectProtectionSpaceAndContinueWithChallenge:challenge];
Solution 3:
I had similar issue. Got it solved by using below code snippet :
-(void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
NSLog(@"This will execute successfully!");
if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodServerTrust) {
[[challenge sender] useCredential:[NSURLCredential credentialForTrust:[[challenge protectionSpace] serverTrust]] forAuthenticationChallenge:challenge];
}
}
Since below methods are deprecated :
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)space { ... }
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { ... }
Solution 4:
You've set the delegate as self, so you can fix this by implementing part of NSURLConnectionDelegate in the class sending that request.
Implement this:
-(void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge;
By doing this:
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
Note: this is NOT a solution to use in production. Certificates exist for a reason! :)
Solution 5:
This does not answer your question of "how to ignore errors". That's being irresponsible.
Rather, it shows you how to load the CA that certifies the server so the connection can proceed as expected. Below, the CA is bundled with the app and is called ca-cert.der
. Its a DER (as opposed to PEM) encoded certificate.
Also, you might want to have a look at Apple's Technical Note TN2232 HTTPS Server Trust Evaluation. kSecTrustResultUnspecified
is success, see Technical Q&A QA1360 Describing the kSecTrustResultUnspecified error.
-(BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:
(NSURLProtectionSpace*)space
{
return [[space authenticationMethod] isEqualToString: NSURLAuthenticationMethodServerTrust];
}
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:
(NSURLAuthenticationChallenge *)challenge
{
if ([[[challenge protectionSpace] authenticationMethod] isEqualToString: NSURLAuthenticationMethodServerTrust])
{
do
{
SecTrustRef serverTrust = [[challenge protectionSpace] serverTrust];
NSCAssert(serverTrust != nil, @"serverTrust is nil");
if(nil == serverTrust)
break; /* failed */
NSData* caCert = [NSData dataWithContentsOfFile:@"ca-cert.der"];
NSCAssert(caCert != nil, @"caCert is nil");
if(nil == caCert)
break; /* failed */
SecCertificateRef caRef = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)caCert);
NSCAssert(caRef != nil, @"caRef is nil");
if(nil == caRef)
break; /* failed */
NSArray* caArray = [NSArray arrayWithObject:(__bridge id)(caRef)];
NSCAssert(caArray != nil, @"caArray is nil");
if(nil == caArray)
break; /* failed */
OSStatus status = SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)caArray);
NSCAssert(errSecSuccess == status, @"SecTrustSetAnchorCertificates failed");
if(!(errSecSuccess == status))
break; /* failed */
SecTrustResultType result = -1;
status = SecTrustEvaluate(serverTrust, &result);
if(!(errSecSuccess == status))
break; /* failed */
NSLog(@"Result: %d", result);
/* This test looks for a "SUCCESS" */
/* kSecTrustResultUnspecified and kSecTrustResultProceed are success */
if(result != kSecTrustResultUnspecified && result != kSecTrustResultProceed)
break; /* failed */
#if 0
/* Alternate test looks for a "NOT FAILURE" */
/* Treat kSecTrustResultConfirm and kSecTrustResultRecoverableTrustFailure as success */
/* since the user will likely tap-through to see the dancing bunnies */
if(result == kSecTrustResultDeny || result == kSecTrustResultFatalTrustFailure || result == kSecTrustResultOtherError)
break; /* failed to trust cert (good in this case) */
#endif
// The only good exit point
return [[challenge sender] useCredential: [NSURLCredential credentialForTrust: serverTrust]
forAuthenticationChallenge: challenge];
} while(0);
}
// Bad dog
return [[challenge sender] cancelAuthenticationChallenge: challenge];
}