2 Replies
      Latest reply: Dec 7, 2016 4:56 PM by Pixel RSS
      Pixel Level 1 Level 1 (0 points)

        How do I accept a CA ROOT signed certificate during a HTTPS connection (not self signed, I mean trusted certificate authority stored by Apple on the device) ?

         

        Is it done by default ? (don't need to implements NSURLSessionDelegate methods eg : didReceiveChallenge...)

         

        Or validation has to be done manually  :

        - on didReceiveChallenge with SecTrustEvaluate (the ROOT certificate has to be find vith SecTrustCopyCustomAnchorCertificates) ? ;

        - on didReceiveChallenge with SecTrustEvaluate (a copy of the ROOT certificate is stored on the app bundle) ?

         

        Thanks !

        • Re: NSURLSession - HTTPS
          eskimo Apple Staff Apple Staff (6,665 points)

          How do I accept a CA ROOT signed certificate during a HTTPS connection (not self signed, I mean trusted certificate authority stored by Apple on the device) ?

          By default two things happen:

          • NSURLSession implements standard (RFC 2818 style) server trust evaluation.

          • App Transport Security (ATS) does its own enhanced security checks (see the doc links in my App Transport Security pinned post)

          Both trust the root certificates baked into the system (see List of available trusted root certificates in iOS 10) and any installed by the user (typically via a configuration profile).

          How do I accept a CA ROOT signed certificate during a HTTPS connection (not self signed, I mean trusted certificate authority stored by Apple on the device) ?

          I’m not sure I understand your question here, but I think that you’re asking how you can get NSURLSession to trust your own custom CA.  There’s two approaches you can use:

          • If you’re deploying to an enterprise environment, you should install your enterprise’s CA on the device.  Both NSURLSession and ATS will automatically pick it up and trust any certificates it has issued.

            Note This approach alse makes sense if you plan to use a CA-issued certificate in product but you want to test with a custom CA for testing.

          • If you’re deploying to normal users via the App Store, you have to:

            1. Disable ATS for your server

            2. Override NSURLSession’s server trust evaluation, as described in Technote 2232 HTTPS Server Trust Evaluation

            I generally recommend you avoid this because step 1 will complicate your App Review (again, see the links in my ATS pinned post).

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"