Ignoring a SSL certificate when using a webserver

Posted: July 23rd, 2008 | Author: | Filed under: Webserver | Tags: , , , , , , , | 4 Comments »

What happens when you try to connect to an HTTPS webserver which has an invalid SSL certificate? For example when the hostname of the website is not the same as the one in the SSL certificate.

With a browser (Safari or Firefox), you get an alert like the following:

If you try to connect to this webserver using NSURLConnection (Cocoa) or CFReadStream (Carbon), you get an error. In Cocoa, NSURLConnection fails with an error -1202 (NSURLErrorServerCertificateUntrusted). In Carbon, CFReadStreamRead returns -1, which means no data have been received.

The right way to fix this issue, is of course to create a new SSL certificate with the right hostname inside. But sometimes, it’s not your webserver and you don’t really care if the certificate is valid or not because you don’t send sensitive data. In that case, there is an easy way to just ignore the certificate.

With Carbon

If you are developing with Carbon, you can set some properties to the CFReadStream. To ignore the SSL certificate, you can simply set the property kCFStreamSSLValidatesCertificateChain of the CFReadStream to false. The following sample do a POST request: carbonSample

With Cocoa

NSURLRequest has a private method called setAllowsAnyHTTPSCertificate:forHost: which simply ignores the certificate.

The following sample do the same POST request as the Carbon version: cocoaSample

 

[Update]: As Uli Kusterer told me, you can have the same behavior as Safari. You can first try to connect to the HTTPS website without ignoring the certificate. If the certificate is invalid, you can present an alert like Safari to ask the user if he wants to ignore the certificate.