0

Consider using an NSURLConnectionDataDelegate that is implementing didReceiveAuthenticationChallenge.

If the delegate receives an authentication challenge and the protectionSpace is NSURLAuthenticationMethodClientCertificate and instead of providing one simply does the following.

[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];

The server has two options.

  1. If it wants to require the certificate, it can simply terminate the connection and the iOS NSURLConnection will raise the error NSURLErrorClientCertificateRequired.

  2. If the server wants to continue, it can simply do so by not severing the connection and the delegate should receive another call to didReceiveAuthenticationChallenge.

I have not been able to concretely verify this hypothesis. I suppose it's possible the iOS NSURL stack can get in the way as well. But I'm looking for some kind of verification on the hypothesis.

Joey Carson
  • 2,973
  • 7
  • 36
  • 60

1 Answers1

0

You have to install SSL certificate on your server and when you try to hit API. Then you should use https instead of http. Hope this help you...

shiju86.v
  • 667
  • 5
  • 10
  • Yes, I'm aware of how SSL works. But I'm referring to a very specific configuration on SSL/TLS where client authentication may or may not actually be required by the server. There are a number of authentication appliances/DMZ controllers that can be configured this way. What I'm saying is in the context of the server not requiring a valid client certificate (even though it asks for one), I believe the expected behavior for the server to continue the request, e.g. the NSURLConnection will not encounter a failure with error. – Joey Carson May 17 '16 at 17:33
  • Someone given answer here. Please check this link: http://stackoverflow.com/questions/933331/how-to-use-nsurlconnection-to-connect-with-ssl-for-an-untrusted-cert?rq=1 – shiju86.v May 17 '16 at 17:35
  • That link relates to a server identity certificate that cannot be verified by the client. This scenario I'm describing is more or less the other way around. If the server asks for a client certificate during SSL handshake (not the norm in https). Based on settings the https server may decided it's ok that the client didn't provide a client certificate or it may choose to continue the transaction even though the client provided an expired or unverifiable certificate. – Joey Carson May 17 '16 at 17:40