HTTPS with NSURLConnection - NSURLErrorServerCertificateUntrusted

Question

I have an application that connects fine over http. When trying https I got the error that says that the root cert is not trusted. I found URLs for my site certificate, its CA certificate, and the CA's root certificate and have added them through Safari to the phone. Now when I go to Preferences -> General -> Profiles I can see all my certificates that go all the way up the chain. There is a red unsigned label on each certificate. Still when I connect I get the NSURLErrorServerCertificateUntrusted error. I'm trying to figure where to go next.

Any help would be great. The only other thing that may affect this, is that I am connecting to an odd port. So my url is www.domain.com:port. Does the port number create a certificate - domain name mismatch?

Now I have used the iPhone Configuration Utility to add a configuration profile to the phone. It has my root certificate, ca certificate, and site certificate. The profile on the phone says its verified. In the details I can see my three certificates. But when I try to connect, I still get the untrusted certificate error. Any suggestions?

Just trying to see if anyone else can help on this?

Answer 1

It does not matter what port you connect on. A different port won't cause that error. Also, you shouldn't have to install any Intermediate or Root certificates on the phone if you have a trusted certificate. You just need to make sure that the server is giving the correct Intermediate certificates out. Use http://www.sslshopper.com/ssl-checker.html to verify that it is or to see if there are any other installation problems.

Answer 2

There is a supported API for ignoring bad certificates during NSURLConnection loads. To do so, simply add something like this to your NSURLConnection delegate:

- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
  return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
  if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
    if (... user allows connection despite bad certificate ...)
      [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];

  [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
}

Note that connection:didReceiveAuthenticationChallenge: can send its message to challenge.sender (much) later, after presenting a dialog box to the user if necessary, etc.