The self-signed certificate of https is used in my project. The following methods will be triggered during the request.
- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler
How do I get valid information about the certificate fromNSURLAuthenticationChallenge, at least I need to get the domain name in the certificate.
First of all, the client does not store any local certificates; in the process I found that the challenge.protectionSpace.host gets the requested host instead of the domain name in the certificate.
Hope to get an answer. Thank you!
Related
I am new to web development and currently I am developing an Rest API which is to be consumed by an IOS app. So I developed the API and also implemented jwt token with oauth2 security in it.Now I want to provide the API to be consumed by the mobile app.So my backend server has SSL certificate. So the consumed Rest API will be something like
https://server:port/dataapiurl
So far I have read about SSL and JWT and i already they are for different reasons where
SSL is used for encrypted channel between client server communication and
JWT is used for Authorization.
So there will be no point if even I implement JWT and the communication is not in SSL.So to make sure the communication is done between client and server what have to be done on the client (mobile app) side?
1.Does the mobile app need to install a new certificate Or the SSL certificate of our backend server?
2.If it is our backend server's SSL certificate then how to install it in the mobile app ?
Any Help is appreciated.
You you can but haven't to set your ssl cert on the client.
You can just conform to the NSURLSessionDelegate protocol and implement this :
- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler{
if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]){
NSArray* netTrusts = #["your hostname here"];
if(netTrusts != nil && [netTrusts containsObject:challenge.protectionSpace.host]){
NSURLCredential *credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
completionHandler(NSURLSessionAuthChallengeUseCredential,credential);
}
}
}
Inside the delegate
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
After getting Server Challenge, i am able to extract X.509 Certificate using following code:
SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0);
Now I Need to get the expire date from this SecCertificateRef.
And also want to check whether the certificate is having valid domain name.
I have gone through apple docs and googled for long time, some suggested to use SLL library to get these details. In project no Third party libraries are permitted. Is any way to get these details without third party libs?
Can anybody help me to know how https request are processing using NSRULConnection? I had gone through lot of tutorials and Apple documentation. But I am not able to understand how it is working. I have implemented the following delegates to process an https request.
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
{
return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
}
When I implemented the above delegate, I got response from the server successfully. Can anyone help me to know how this is working. Also what are each parameters in the delegate and what it is doing?
Thanks in advance.
Think of the protectionSpace as the server. The delegate method connection: canAuthenticateAgainstProtectionSpace is used to ask you if you can handle the authentication requirements of the server. In your case, you say "if we're talking about the SSL certificate (that's what NSURLAuthenticationMethodServerTrust usually means), yes, I can handle that".
The connection then asks you to do just that with connection:didReceiveAuthenticationChallenge and provide a NSURLCredential for this specific server. With credentialForTrust: you create the credential by using the information stored in your keychain for the certificate of this server. With useCredential:forAuthenticationChallenge: you finally tell the connection to answer the challenge with this credential, i.e. use the keychain data to validate the certificate.
This example will help you How To Use iOS NSURLConnection By Example
Now, I'm planing to send a NSURLRequest to the server with a local certificate for server to validate. But I check the function in NSURLRequest, I cannot find a way to include the certificate. Does anyone know how to include a certificate in a NSUrlRequest? Or must I use a open source function, like ASIHttpRequest.
Try to give a look to this quite good tutorial
Authenticating an HTTP Request with Client Certificates in iOS
It explains how to use the NSURLConnectionDelegate method
- (void)connection:(NSURLConnection *)connection
didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
In order to provide the certificate.
Let me know if that helped.
UPDATE
In case support just for iOS >= 5.0 is provided, it's better to adopt the new non deprecated method
connection:willSendRequestForAuthenticationChallenge
I have a client (on iOS) that connects to a server using a hard-coded https url.
When a connection is established the server may indicate that for future connections a different machine name and/or port should be used. In addition the server can specify url location suffixes to fetch data from.
i.e. the following URL might be hardcoded in the client:
https://machineName.address.port/url-suffix
and after a connection is established the sever could inform it to use machineName2 and portX and url-suffix /someLocation/somewhere, so the next time the client connects it will use the url
https://machineName2.address.portX/someLocation/somewhere.
The address part or the url cannot change.
At the moment the client has the following for the connection authentication challenge, i.e. it'll connect to anything:
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
SecTrustRef trust = challenge.protectionSpace.serverTrust;
NSURLCredential *cred;
cred = [NSURLCredential credentialForTrust:trust];
[challenge.sender useCredential:cred forAuthenticationChallenge:challenge];
}
At the moment this app isn't doing anything that requires heavy security - there's no bank info being accessed, the user doesn't log onto anything, no user info is being transmitted. The client is just downloading data from the server onto the device.
Without adding certificate checking on the client side could a spoof server send porn to the device or something, or is the fact a https connection is made and the url address is hardcoded sufficient?
HTTPS provides data encryption and authentication, but your certificate should be signed by a certificate authority. Accessing a hardcoded URL is not a security flaw—that's how webservices/APIs work. However, without proper certificate setup someone could potentially impersonate your server. Just using SSL/TLS is not enough.