What happens when you try to connect to an HTTPS webserver which has an invalid SSL certificate? For example when the hostname of the website is not the same as the one in the SSL certificate.

With a browser (Safari or Firefox), you get an alert like the following:

Warning with Safari

If you try to connect to this webserver using NSURLConnection (Cocoa) or CFReadStream (Carbon), you get an error. In Cocoa, NSURLConnection fails with an error -1202 (NSURLErrorServerCertificateUntrusted). In Carbon, CFReadStreamRead returns -1, which means no data have been received.

The right way to fix this issue, is of course to create a new SSL certificate with the right hostname inside. But sometimes, it’s not your webserver and you don’t really care if the certificate is valid or not because you don’t send sensitive data. In that case, there is an easy way to just ignore the certificate.

With Carbon

If you are developing with Carbon, you can set some properties to the CFReadStream. To ignore the SSL certificate, you can simply set the property kCFStreamSSLValidatesCertificateChain of the CFReadStream to false. The following sample do a POST request:

// Created by Alexandre Colucci on 23/07/2008.
// Copyright 2008 Alexandre Colucci. All rights reserved.

int main(int argc, char* argv[])
	// The URL of the Webserver
	CFURLRef myWebserverURLRef = CFURLCreateWithString(kCFAllocatorDefault, CFSTR("https://myWebserver.com/"), NULL);
	if(myWebserverURLRef != NULL)
		// Create the HTTP message
		CFHTTPMessageRef theMessageRef = CFHTTPMessageCreateRequest(kCFAllocatorDefault, CFSTR("POST"), myWebserverURLRef, kCFHTTPVersion1_1);
		if(theMessageRef != NULL)
			// Set useful headers
			CFHTTPMessageSetHeaderFieldValue(theMessageRef, CFSTR("Accept"), CFSTR("text/xml"));
			CFHTTPMessageSetHeaderFieldValue(theMessageRef, CFSTR("Content-type"), CFSTR("application/xml"));
			// The body
			char *theDataString = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><something></something>";
			CFDataRef dataRef = CFDataCreate(kCFAllocatorDefault, (const UInt8*)theDataString, strlen(theDataString));
			CFHTTPMessageSetBody(theMessageRef, dataRef);
			// Create the CFReadStreamRef
			CFReadStreamRef streamRef = CFReadStreamCreateForHTTPRequest(kCFAllocatorDefault, theMessageRef);
			if(streamRef != NULL)
				// We don't want to validate the HTTPS certificate.
				CFMutableDictionaryRef securityDictRef = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
				if(securityDictRef != NULL)
					CFDictionarySetValue(securityDictRef, kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse);
					CFReadStreamSetProperty(streamRef, kCFStreamPropertySSLSettings, securityDictRef);
				// Open the stream
				// Read the data
				CFIndex theBufferLength = 1024;
				UInt8 theBuffer[1024];
				CFIndex theBytesRead = 0;
				CFMutableStringRef theMutableStringRef = CFStringCreateMutable( kCFAllocatorDefault, 0 );
					theBytesRead = CFReadStreamRead(streamRef, theBuffer, theBufferLength);
					if(theBufferLength > 0)
						CFStringAppendCString(theMutableStringRef, (const char*)theBuffer, kCFStringEncodingASCII);
				while(theBytesRead > 0);
				if(theBytesRead < 0)
					fprintf(stderr, "Host is down?\n");
					fprintf(stderr, "didReceiveData: \n");

	return 0;

With Cocoa

NSURLRequest has a private method called setAllowsAnyHTTPSCertificate:forHost: which simply ignores the certificate.

The following sample do the same POST request as the Carbon version:

// Created by Alexandre Colucci on 23/07/2008.
// Copyright 2008 Alexandre Colucci. All rights reserved.

// Dummy interface to avoid a warning.
@interface NSURLRequest (DummyInterface)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString*)host;
+ (void)setAllowsAnyHTTPSCertificate:(BOOL)allow forHost:(NSString*)host;

@implementation MainController

	// The URL of the Webserver
	NSURL *myWebserverURL = [NSURL URLWithString:@"https://myWebserver.com/"];
	// Create the request
	NSMutableURLRequest *theRequest = [NSMutableURLRequest requestWithURL:myWebserverURL cachePolicy:NSURLRequestReloadIgnoringCacheData timeoutInterval:60.0];
	// Set the HTTP method.
	[theRequest setHTTPMethod:@"POST"];
	// Set useful headers
	[theRequest setValue:@"text/xml" forHTTPHeaderField:@"Accept"];
	[theRequest setValue:@"application/xml" forHTTPHeaderField:@"Content-type"];
	// The body
	NSString *theDataString = @"<?xml version=\"1.0\" encoding=\"UTF-8\"?><something></something>";
	NSData *theData = [theDataString dataUsingEncoding:NSUTF8StringEncoding];
	[theRequest setHTTPBody:theData];
	// Use the private method setAllowsAnyHTTPSCertificate:forHost:
	// to not validate the HTTPS certificate.
	[NSURLRequest setAllowsAnyHTTPSCertificate:YES forHost:[myWebserverURL host]];
	// Create the NSURLConnection and init the request.
	[[NSURLConnection alloc] initWithRequest:theRequest delegate:self];

[Update]: As Uli Kusterer told me, you can have the same behavior as Safari. You can first try to connect to the HTTPS website without ignoring the certificate. If the certificate is invalid, you can present an alert like Safari to ask the user if he wants to ignore the certificate.