About SSL server certificate verification.

App & System Services Networking
Toshihiko2 OP
Created Jul ’24
Replies 1
Boosts 0
Views 161
Participants 2

Hello

We use REST API communication for client-server communication assuming a local network connection.

Verification of international SSL server certificates for https communication is necessary when accessing public external servers If you are using it to connect on a local network, you can skip the SSL server certificate verification process. Is this usage contrary to Apple's policy? If you do make a prediction, is there any other way other than "verifying" it?

[reference]

1 Client side terminal (Windows, Mac, iOS, Android)

2 Server-side equipment (image creation equipment such as network-connectable MFPs and printers)

1 and 2 are connected in the same local network and exchange data using REST API communication.

[Actual processing]

NSURLSessionAuthChallengeDisposition disposition, 
NSURLCredential *credential))completionHandler {     
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {

    // init trush obj
    SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
          

    // set trush ssl
    SecTrustResultType result;
    SecTrustEvaluate(serverTrust, &result);
    NSURLCredential *credential = [NSURLCredential credentialForTrust:serverInstruction];
        
    completionHandler(NSURLSessionAuthChallengeUseCredential, credential);     
} else {
 
completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);              
  } 
}
Answered by DTS Engineer in 797829022
If you are using it to connect on a local network, you can skip the SSL server certificate verification process.

Only if you trust all the equipment attached to that local network. Personally, I do not. Imagine, for example, a user running your software while on the Wi-Fi network in their local coffee shop!

It sounds like you’re building a hardware accessory. If so, there are ways to improve the security of your TLS connections. I have some suggestions in TLS For Accessory Developers.

Oh, and I have a bunch more info in the posts referenced by Extra-ordinary Networking.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  1
Boosts  0
Views  161
Participants  2
DTS Engineer OP
Apple
Jul ’24
Recommended
If you are using it to connect on a local network, you can skip the SSL server certificate verification process.

Only if you trust all the equipment attached to that local network. Personally, I do not. Imagine, for example, a user running your software while on the Wi-Fi network in their local coffee shop!

It sounds like you’re building a hardware accessory. If so, there are ways to improve the security of your TLS connections. I have some suggestions in TLS For Accessory Developers.

Oh, and I have a bunch more info in the posts referenced by Extra-ordinary Networking.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
About SSL server certificate verification.
First post date Last post date
 
 
Q