2

How can I detect a self signed certificate from a revoked or expired ones?

I'm using NSURLConnection and implementing connection:didReceiveAuthenticationChallenge: on delegate:

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge{
    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]){
        NSURLProtectionSpace *tmpSpace=[challenge protectionSpace];
        SecTrustRef currentServerTrust=[tmpSpace serverTrust];
        SecTrustResultType trustResult;
        OSStatus err = SecTrustEvaluate(currentServerTrust, &trustResult);
        BOOL trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) ||                                          (trustResult == kSecTrustResultUnspecified));
        if (trusted){
            // Do something
        }
    }
}

Currently the "if (trusted){}" block only work for certificates trusted by iOS, I want it to work for others as well, but only if the certificate isn't revoked or expired.

The documentation is using SecTrustSettingsSetTrustSettings for changing the settings and reevaluate the trust. but I couldn't find this method (or the SecTrustSetting) for iOS, only for Mac.

Thanks

Raven
  • 39
  • 2
  • 7

2 Answers2

0

read my post here on this issue:

Details on SSL/TLS certificate revocation mechanisms on iOS

CRL and OCSP behavior of iOS / Security.Framework?

Basically:

  • OCSP is used for EV certificates
  • works "best effort"
  • is a blocking operation.
Community
  • 1
  • 1
joshis
  • 347
  • 4
  • 9
0

For the trust evaluation to succeed,

  1. you need to have the anchor (root CA cert) intalled on the device.
  2. or, you specify an anchor at runtime using SecTrustSetAnchorCertificates().

In either case, you need to have access to the anchor certificate.

Plumenator
  • 1,682
  • 3
  • 20
  • 49