6

By default, example.com resolve to 123.123.123.123,

But If I want it to be resolved to 100.100.100.100.

For http, I can simply change the url to http://100.100.100.100 with a header "Host: example.com".

But it's not working for HTTPS.(Error: SSL certificate problem: Invalid certificate chain).

My question is not why, and I do not want to skip the certificate validation.

How can I get the same effect in Objective-C like curl's

--resolve option:

--resolve <host:port:address>
          Provide a custom address for a specific host and port pair. Using this, you can make the  curl  requests(s)
          use  a specified address and prevent the otherwise normally resolved address to be used. Consider it a sort
          of /etc/hosts alternative provided on the command line. The port number should be the number used  for  the
          specific  protocol  the  host  will  be  used for. It means you need several entries if you want to provide
          address for the same host but different ports.

In other words, How to make custom DNS query in HTTPS requests in Objective-C?

freestyler
  • 5,224
  • 2
  • 32
  • 39
  • What you are trying to do seems the wrong way round to me. If you know the IP addresses you want to use and they are real, then the devices running with those IPs also have names. Lets assume 192.168.0.1 is one.example.com and 192.168.0.2 is two.example.com. Then rather than try and circumvent the name resolution IP mappings, add mappings in your code for domain example.com to the real device name you want to use in your test. Or have a variable somewhere which knows which to use: one.example.com or two.example.com. From the question you must have a plan to have code switch it to .0.2 anyway? – Rory McKinnel Aug 24 '15 at 10:55
  • 1
    @RoryMcKinnel One possible use case is to bypassing the DNS pollution caused by ISP providers. – freestyler Aug 24 '15 at 12:12
  • Not sure what DNS pollution is? Do you mean residential ISP IP addresses being changed all the time so you cannot look them up? If so that is what static ISP IPs is for or Dynamic DNS fr people with dynamic IPs wanting a fixed DNS lookup name. Either way, if overriding is what you need, then to me you need your own mappings as you are implying you know the mapping you want to use rather then the DNS systems? So you want a function `createURLFromDNSNameUsingMyDNSOverrides` or the like. – Rory McKinnel Aug 24 '15 at 13:05
  • Might be worth you rewriting the question to provide detail on the problem you really want to solve as you seem to be mentioning issues now on a more global front than the private network example you have. – Rory McKinnel Aug 24 '15 at 13:08
  • @RoryMcKinnel for example, server.com's correct ip is 123.123.123.123. but some end user may get the wrong dns result, in this case, they cannot connect to server.com because of wrong ip. Yes. I know the mapping. The DNS is wrong sometimes. https://en.wikipedia.org/wiki/DNS_spoofing https://en.greatfire.org/faq/what-does-dns-poisoning-mean – freestyler Aug 24 '15 at 13:55

2 Answers2

2

When you are using https, the address that you use in your request, and the address given to you by the certificate returned by the server, must agree.

If you send a request to https://100.100.100.100 then the server must return a certificate for 100.100.100.100. Even if you connected successfully to https:// www.xyz.com, and www.xyz.com resolved to 100.100.100.100, connecting to https://100.100.100.100 isn't going to work, cannot work, and absolutely must not work, because the server will return a certificate for www.xyz.com and not for 100.100.100.100.

gnasher729
  • 51,477
  • 5
  • 75
  • 98
  • Thanks, But my question is not about why. – freestyler Aug 31 '15 at 14:42
  • It should tell you that whatever you try, it isn't going to work. You are asking "How", and the answer is "No way". – gnasher729 Aug 31 '15 at 15:43
  • I think it's possible. Curl's '--resolve' option is a proof. In other languages like python, name resolution phase can be easily replaced with own code(e.g. http://stackoverflow.com/questions/2236498/tell-urllib2-to-use-custom-dns) – freestyler Sep 01 '15 at 01:53
  • My 2 cents: If you use strict options to prevent going to site where certificate URL mismatches redirect URL (like the default chrome behaviour) you won't get redirected - it's because the effect is intended. In short, you can't have it! If you use lenient options (many web clients allow it), you can go ahead, but you'll still get warnings in which case, user should intervene and accept the risk – CKmum Sep 06 '15 at 09:52
2

I see following options:

example

#include <stdio.h>
#include <curl/curl.h>
 
int main(void)
{
  CURL *curl;
  CURLcode res = CURLE_OK;
  struct curl_slist *host = NULL;
 
  /* Each single name resolve string should be written using the format
     HOST:PORT:ADDRESS where HOST is the name libcurl will try to resolve,
     PORT is the port number of the service where libcurl wants to connect to
     the HOST and ADDRESS is the numerical IP address
   */ 
  host = curl_slist_append(NULL, "example.com:80:127.0.0.1");
 
  curl = curl_easy_init();
  if(curl) {
    curl_easy_setopt(curl, CURLOPT_RESOLVE, host);
    curl_easy_setopt(curl, CURLOPT_URL, "http://example.com");
    res = curl_easy_perform(curl);
 
    /* always cleanup */ 
    curl_easy_cleanup(curl);
  }
 
  curl_slist_free_all(host);
 
  return (int)res;

}

Update: Since author don't want to skip certificate validation this is not an option now:

You can try to ignore ssl certificate in AFNetworking in your case

I want to allow invalid SSL certificates with AFNetworking

Community
  • 1
  • 1
Ivan Fateev
  • 1,032
  • 1
  • 10
  • 26