views:

1320

answers:

2

I have an application that connects fine over http. When trying https I got the error that says that the root cert is not trusted. I found URLs for my site certificate, its CA certificate, and the CA's root certificate and have added them through Safari to the phone. Now when I go to Preferences -> General -> Profiles I can see all my certificates that go all the way up the chain. There is a red unsigned label on each certificate. Still when I connect I get the NSURLErrorServerCertificateUntrusted error. I'm trying to figure where to go next.

Any help would be great. The only other thing that may affect this, is that I am connecting to an odd port. So my url is www.domain.com:port. Does the port number create a certificate - domain name mismatch?

Now I have used the iPhone Configuration Utility to add a configuration profile to the phone. It has my root certificate, ca certificate, and site certificate. The profile on the phone says its verified. In the details I can see my three certificates. But when I try to connect, I still get the untrusted certificate error. Any suggestions?

Just trying to see if anyone else can help on this?

A: 

It does not matter what port you connect on. A different port won't cause that error. Also, you shouldn't have to install any Intermediate or Root certificates on the phone if you have a trusted certificate. You just need to make sure that the server is giving the correct Intermediate certificates out. Use http://www.sslshopper.com/ssl-checker.html to verify that it is or to see if there are any other installation problems.

Robert
I have already tried one of those services to validate your certificate. The certificate validates and is installed correctly. Its just that the root and intermediate CA aren't installed on the iPhone. Thanks for the information about port not mattering.
Brian
+1  A: 

There is a supported API for ignoring bad certificates during NSURLConnection loads. To do so, simply add something like this to your NSURLConnection delegate:

- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
  return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
  if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
    if (... user allows connection despite bad certificate ...)
      [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];

  [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
}

Note that connection:didReceiveAuthenticationChallenge: can send its message to challenge.sender (much) later, after presenting a dialog box to the user if necessary, etc.

Gordon Henriksen