SSL Socket connection iOS

Asked 7/10, 2013 at 18:43 Answered 22/2, 2016 at 18:2

Solved ios sockets ssl certificate-authority root-certificate

I am trying to setup a secure connection to a java run SSLServerSocket.

I have created my own root CA, and have signed the certificate that the Java SSLServerSocket using this certificate.

I want to add this root certificate to my app so that any certificate signed by the root certificate will work.

So far I have the secure connection working fine by setting the read and write stream properties to this:

NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
(id)kCFStreamSocketSecurityLevelNegotiatedSSL, kCFStreamPropertySocketSecurityLevel,
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates,
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredRoots,
[NSNumber numberWithBool:NO], kCFStreamSSLValidatesCertificateChain,nil];

I add the certificate to the keychain like this:

-(void)addRootCert{
NSString* rootCertPath = [[NSBundle mainBundle] pathForResource:@"rootCA" ofType:@"der"];
NSData* rootCertData = [NSData dataWithContentsOfFile:rootCertPath];

OSStatus err = noErr;
SecCertificateRef rootCert = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)rootCertData);
NSDictionary* dict = [NSDictionary dictionaryWithObjectsAndKeys:(__bridge_transfer id)kSecClassCertificate, kSecClass, rootCert, kSecValueRef, nil];

err = SecItemAdd((__bridge CFDictionaryRef) dict, NULL);
if (err == noErr) {
    NSLog(@"Sucessfully added root certificate");
}else if (err == errSecDuplicateItem){
    NSLog(@"Root certificate already exists");
}else{
    NSLog(@"Root certificate add failed");
}
}

This is fine but I want to validate the certificate chain, so that my app only accepts certificates signed by my CA (or the default trusted ones)

How can I do this?

If I set kCFStreamSSLValidatesCertificateChain to yes, I get the error: CFNetwork SSLHandshake failed (-9807) but if it's no, it doesn't matter who signed the server certificate, it will connect regardless (I assume that's right?)

Thanks!

Grained answered 7/10, 2013 at 18:43 Comment(0)

Technote 2232, "HTTPS Server Trust Evaluation", should have all the answers you need. There is documentation and several examples of how to evaluate server trust.

Heaveho answered 18/10, 2013 at 4:36 Comment(3)

Thanks for this link, following what it says about using SecTrustSetAnchorCertificates I want to add my root ca to this, but I do not have a SecTrustRef, how do I make one? All the examples I've seen are using NSURLConnection delegate methods, but I'm using sockets.. – Grained 18/10, 2013 at 10:2

This is probably what you are looking for: developer.apple.com/library/mac/documentation/… – Heaveho 21/10, 2013 at 23:8

Thank you, that last link was perfect! – Grained 29/10, 2013 at 22:2

I had this same problem, and while adding the certificate manually does fix the issue, that also means having to update the app every time the certificate on the server changes (such as when it expires, which, in my case, was going to happen in a matter of days).

If you're using an IP address to connect to the socket, and the certificate is for the FQDN (fully qualified domain name, i.e. subdomain.example.com), then when the operating system checks the certificate, it is going to look at the IP address you're connecting to, compare it to the name in the certificate, and think the two are different, causing the chain to fail validation.

So for anyone else who runs into this problem, I recommend using the FQDN in the second parameter to CFStreamCreatePairWithSocketToHost rather than the IP address. After that, it should work without having to include the certificate in the bundle and manually validate.

Suzannesuzerain answered 22/2, 2016 at 18:2 Comment(0)

Recommended topics

Hot tags