Search code examples
iphoneipadiossslx509

iOS - managing trusted roots on an SSL connection

By adding to the kCFStreamPropertySSLSettings dictionary the usual kCFStreamSSLValidatesCertificateChain, kCFStreamSSLAllowsAnyRoot, etc - I can make server & client authentication work.

However I fail to see how I can get this more fine grained; i.e.

  1. detect a cert of server/CA never seen - and escalate acceptance up to the user.
  2. validate a cert of the server I am connected to against a narrow trust list (e.g. the cert learned about during a previous connect).

I.e. what I am looking for is 1) something like the SSLSetTrustedRoots() on MacOSX and 2) something like the error/domain callbacks in kCFStreamErrorDomainSSL (e.g. errSSLPeerCertUnknown) - none which seems defined/accesible on the ipad/iphone 4.2.1.

Or am I missing something ? Or do I need to do something explicit on the callback ? Examples appreciated (the AdvancedURLConnections example is not quite applicable - I have a raw (IRC) socket).

Thanks,

Dw.

Solution

  • Set kCFStreamSSLValidatesCertificateChain to kBooleanFalse and manually verify the cert with the APIs.

    Specifically, use

    SecTrustCreateWithCertificates

    with the certificates you get from

    CFReadStreamCopyProperty(readStream, kCFStreamPropertySSLPeerCertificates);

    Then, you can use 

    SecTrustSetAnchorCertificates

    and finally call

    SecTrustEvaluate