invalidate the HTTPS certificate

What happens when you try to connect to an HTTPS webserver which has an invalid SSL certificate? For example when the hostname of the website is not the same as the one in the SSL certificate.

With a browser (Safari or Firefox), you get an alert like the following:

If you try to connect to this webserver using NSURLConnection (Cocoa) or CFReadStream (Carbon), you get an error. In Cocoa, NSURLConnection fails with an error -1202 (NSURLErrorServerCertificateUntrusted). In Carbon, CFReadStreamRead returns -1, which means no data have been received.

The right way to fix this issue, is of course to create a new SSL certificate with the right hostname inside. But sometimes, it’s not your webserver and you don’t really care if the certificate is valid or not because you don’t send sensitive data. In that case, there is an easy way to just ignore the certificate.

With Carbon

If you are developing with Carbon, you can set some properties to the CFReadStream. To ignore the SSL certificate, you can simply set the property kCFStreamSSLValidatesCertificateChain of the CFReadStream to false. The following sample do a POST request

 

code：

//

// Created by Alexandre Colucci on 23/07/2008.

// Copyright 2008 Alexandre Colucci. All rights reserved.

 

int main(int argc, char * argv[])

{

// The URL of the Webserver

CFURLRef myWebserverURLRef = CFURLCreateWithString (kCFAllocatorDefault , CFSTR ("https://myWebserver.com/" ), NULL );

if (myWebserverURLRef != NULL )

{

// Create the HTTP message

CFHTTPMessageRef theMessageRef = CFHTTPMessageCreateRequest ( kCFAllocatorDefault, CFSTR ( "POST" ), myWebserverURLRef, kCFHTTPVersion1_1);

if (theMessageRef != NULL )

{

// Set useful headers

CFHTTPMessageSetHeaderFieldValue(theMessageRef, CFSTR ( "Accept" ), CFSTR ( "text/xml" ));

CFHTTPMessageSetHeaderFieldValue(theMessageRef, CFSTR ( "Content-type" ), CFSTR ( "application/xml" ));

// The body

char *theDataString = "<?xml version=/"1.0/" encoding=/"UTF-8/"?><something></something>";

CFDataRef dataRef = CFDataCreate (kCFAllocatorDefault , (const UInt8 *)theDataString, strlen (theDataString));

CFHTTPMessageSetBody (theMessageRef, dataRef);

// Create the CFReadStreamRef

CFReadStreamRef streamRef = CFReadStreamCreateForHTTPRequest (kCFAllocatorDefault , theMessageRef);

if (streamRef != NULL )

{

// We don't want to validate the HTTPS certificate.

CFMutableDictionaryRef securityDictRef = CFDictionaryCreateMutable ( kCFAllocatorDefault, 0 , & kCFTypeDictionaryKeyCallBacks, & kCFTypeDictionaryValueCallBacks);

if (securityDictRef != NULL )

{

CFDictionarySetValue (securityDictRef, kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse);

CFReadStreamSetProperty (streamRef, kCFStreamPropertySSLSettings , securityDictRef);

CFRelease (securityDictRef);

}

// Open the stream

CFReadStreamOpen (streamRef);

// Read the data

CFIndex theBufferLength = 1024 ;

UInt8 theBuffer[1024 ];

CFIndex theBytesRead = 0 ;

CFMutableStringRef theMutableStringRef = CFStringCreateMutable ( kCFAllocatorDefault, 0 );

do

{

theBytesRead = CFReadStreamRead (streamRef, theBuffer, theBufferLength);

if (theBufferLength > 0 )

CFStringAppendCString (theMutableStringRef, (const char *)theBuffer, kCFStringEncodingASCII );

}

while (theBytesRead > 0 );

if (theBytesRead < 0 )

fprintf ( stderr , "Host is down?/n");

else

{

fprintf ( stderr , "didReceiveData: /n");

CFShow (theMutableStringRef);

}

CFRelease (theMutableStringRef);

CFRelease (streamRef);

}

CFRelease (dataRef);

CFRelease (theMessageRef);

}

CFRelease (myWebserverURLRef);

}

return 0 ;

}

//

With Cocoa

NSURLRequest has a private method called setAllowsAnyHTTPSCertificate:forHost: which simply ignores the certificate.

The following sample do the same POST request as the Carbon version: 

 

code:

//

@interface NSURLRequest (DummyInterface)

+ (BOOL )allowsAnyHTTPSCertificateForHost:(NSString *)host;

+ (void )setAllowsAnyHTTPSCertificate:(BOOL )allow forHost:(NSString *)host;

@end

 

@implementation MainController

 

-(IBAction )doSomething:(id )sender

{

// The URL of the Webserver

NSURL *myWebserverURL = [ NSURL URLWithString : @"https://myWebserver.com/"];

// Create the request

NSMutableURLRequest *theRequest = [ NSMutableURLRequest requestWithURL:myWebserverURL cachePolicy: NSURLRequestReloadIgnoringCacheData timeoutInterval: 60.0 ];

// Set the HTTP method.

[theRequest setHTTPMethod :@"POST" ];

// Set useful headers

[theRequest setValue: @"text/xml" forHTTPHeaderField: @"Accept" ];

[theRequest setValue : @"application/xml" forHTTPHeaderField : @"Content-type"];

// The body

NSString *theDataString = @"<?xml version=/"1.0/" encoding=/"UTF-8/"?><something></something>";

NSData *theData = [theDataString dataUsingEncoding: NSUTF8StringEncoding];

[theRequest setHTTPBody :theData];

// Use the private method setAllowsAnyHTTPSCertificate:forHost:

// to not validate the HTTPS certificate.

[ NSURLRequest setAllowsAnyHTTPSCertificate: YES forHost:[myWebserverURL host ]];

// Create the NSURLConnection and init the request.

[[ NSURLConnection alloc] initWithRequest:theRequest delegate: self ];

}

//