Ignoring certificate errors with NSURLConnection
Solution 1
You could simply ignore the invalid certificate if you are not sending any sensitive information. This article describes how you could do that. Here is an example implementation by Alexandre Colucci for one of the methods described in that article.
Essentially you want to define a dummy interface just above the @implementation
:
@interface NSURLRequest (DummyInterface)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString*)host;
+ (void)setAllowsAnyHTTPSCertificate:(BOOL)allow forHost:(NSString*)host;
@end
And before you call sendSynchronousRequest
, invoke the private method you defined in the dummy interface:
[NSURLRequest setAllowsAnyHTTPSCertificate:YES forHost:[URL host]];
Solution 2
The correct (non deprecated, non private) way using the new:
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
method that apple has specified should be used for NSURLConnectionDelegates is to respond to the ServerTrust method with the credential that was provided for the protection space (this will allow you to connect:
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
{
NSLog(@"Ignoring SSL");
SecTrustRef trust = challenge.protectionSpace.serverTrust;
NSURLCredential *cred;
cred = [NSURLCredential credentialForTrust:trust];
[challenge.sender useCredential:cred forAuthenticationChallenge:challenge];
return;
}
// Provide your regular login credential if needed...
}
This method gets called multiple times once for each available authentication method, if you don't want to login using that method use:
[challenge.sender rejectProtectionSpaceAndContinueWithChallenge:challenge];
Solution 3
I had similar issue. Got it solved by using below code snippet :
-(void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
NSLog(@"This will execute successfully!");
if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodServerTrust) {
[[challenge sender] useCredential:[NSURLCredential credentialForTrust:[[challenge protectionSpace] serverTrust]] forAuthenticationChallenge:challenge];
}
}
Since below methods are deprecated :
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)space { ... }
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { ... }
Solution 4
You've set the delegate as self, so you can fix this by implementing part of NSURLConnectionDelegate in the class sending that request.
Implement this:
-(void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge;
By doing this:
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
Note: this is NOT a solution to use in production. Certificates exist for a reason! :)
Solution 5
This does not answer your question of "how to ignore errors". That's being irresponsible.
Rather, it shows you how to load the CA that certifies the server so the connection can proceed as expected. Below, the CA is bundled with the app and is called ca-cert.der
. Its a DER (as opposed to PEM) encoded certificate.
Also, you might want to have a look at Apple's Technical Note TN2232 HTTPS Server Trust Evaluation. kSecTrustResultUnspecified
is success, see Technical Q&A QA1360 Describing the kSecTrustResultUnspecified error.
-(BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:
(NSURLProtectionSpace*)space
{
return [[space authenticationMethod] isEqualToString: NSURLAuthenticationMethodServerTrust];
}
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:
(NSURLAuthenticationChallenge *)challenge
{
if ([[[challenge protectionSpace] authenticationMethod] isEqualToString: NSURLAuthenticationMethodServerTrust])
{
do
{
SecTrustRef serverTrust = [[challenge protectionSpace] serverTrust];
NSCAssert(serverTrust != nil, @"serverTrust is nil");
if(nil == serverTrust)
break; /* failed */
NSData* caCert = [NSData dataWithContentsOfFile:@"ca-cert.der"];
NSCAssert(caCert != nil, @"caCert is nil");
if(nil == caCert)
break; /* failed */
SecCertificateRef caRef = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)caCert);
NSCAssert(caRef != nil, @"caRef is nil");
if(nil == caRef)
break; /* failed */
NSArray* caArray = [NSArray arrayWithObject:(__bridge id)(caRef)];
NSCAssert(caArray != nil, @"caArray is nil");
if(nil == caArray)
break; /* failed */
OSStatus status = SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)caArray);
NSCAssert(errSecSuccess == status, @"SecTrustSetAnchorCertificates failed");
if(!(errSecSuccess == status))
break; /* failed */
SecTrustResultType result = -1;
status = SecTrustEvaluate(serverTrust, &result);
if(!(errSecSuccess == status))
break; /* failed */
NSLog(@"Result: %d", result);
/* This test looks for a "SUCCESS" */
/* kSecTrustResultUnspecified and kSecTrustResultProceed are success */
if(result != kSecTrustResultUnspecified && result != kSecTrustResultProceed)
break; /* failed */
#if 0
/* Alternate test looks for a "NOT FAILURE" */
/* Treat kSecTrustResultConfirm and kSecTrustResultRecoverableTrustFailure as success */
/* since the user will likely tap-through to see the dancing bunnies */
if(result == kSecTrustResultDeny || result == kSecTrustResultFatalTrustFailure || result == kSecTrustResultOtherError)
break; /* failed to trust cert (good in this case) */
#endif
// The only good exit point
return [[challenge sender] useCredential: [NSURLCredential credentialForTrust: serverTrust]
forAuthenticationChallenge: challenge];
} while(0);
}
// Bad dog
return [[challenge sender] cancelAuthenticationChallenge: challenge];
}
Ideveloper
Updated on July 09, 2022Comments
-
Ideveloper almost 2 years
I am getting this error
The certificate for this server is invalid. You might be connecting to a server that is pretending to be "server addres goes here" which could put your confidential information at risk."
I am using this method:
[NSURLConnection sendSynchronousRequest:request returningResponse:&response error:&error];
How can I fix this?
I tried this code:
NSURLConnection *connection = [[NSURLConnection alloc] initWithRequest:request delegate:self];
but then I get EXC_BAD_ACCESS in the didReceiveResponse method.
-
Ideveloper over 13 yearsThis link uses private api and by using that can my app get rejected by apple? If so then I cant use it because I have to put my app on appstore. Any other way to do it?
-
William Niu over 13 yearsI think this post precisely answered your question: stackoverflow.com/questions/933331/…
-
Ideveloper over 13 yearsNo thats not working didRecieveResponse is getting called first before canAuthenticateAgainstProtectionSpace method and its crashing in didRecieveResponse method.
-
Jayprakash Dubey over 9 yearsThis has been state in apple documentation. Check this : developer.apple.com/library/ios/technotes/tn2232/_index.html Introduction section
-
aroth over 9 yearsGood answer, works perfectly with
sendSynchronousRequest:
. Obviously should only be used when testing/debugging (and obviously any production server should have proper SSL certs to begin with), which is easily enough accomplished using a couple#ifdef DEBUG
blocks. -
jww about 9 years"You could simply ignore the invalid certificate if you are not sending any sensitive information" - I think this is bad advice. Why use SSL at all? Or why not use an anonymous protocol, like ADH? With anonymous protocols, you still get the benefit of encryption without the server authentication. In the case of ADH, the server does not even send a certificate in its
ServerHello
. -
jww about 9 yearsThis is good, but it does not handle a CA that's not preloaded or added to the store by the user. But using the preloaded CA list is dangerous since any CA in the CA Zoo can claim to certify the site (even the wrong ones, like those who issue certificates for interception). I think its better to specify the CA that is supposed to certify the site so bad CAs cannot break the channel.
-
jk7 over 5 yearsGood references and example. Here's the newer documentation which describes using the newer URLSessionDelegate methods.
-
Falaen almost 3 yearsI can't get it to work. Is this method deprecated as of 2021?