I need your help :)
I'm about changing the http request into a https request from my app. For now I have used ASIHTTPRequest and followed this tutorial. You have to know that I am a total beginner in this area of https and ssl. I appreciate any help, really.
This is the code of my http request:
- (void)fetchDataFromServer{
// Create Instance
ASIFormDataRequest *request = [[ASIFormDataRequest alloc] initWithURL:url];
// Parameter der POST Anfrage setzen
[request setPostValue:#"anything" forKey:#"app_action"];
[request setValidatesSecureCertificate:NO]; // no certificate so far
request.delegate = self; // assign delegate
[request startAsynchronous]; // send request
}
That worked fine. But now I need to protect the data connection and therefore I have to use https.
How can I realize this need? Is ASIHTTPRequest the right thing for that and it is even supporting that? What do I need to know of the certificate in the server?
Please tell me everything you know :)
Thank you very much - you're the best.
Regards
Chris
Certificate validation is a good thing and should nearly always be done. You do not need to disable it for HTTP requests.
There is really only one exception to this rule. If you must connect to a HTTPS web service which does not have a properly signed certificate by a trusted certificate authority, then you must to turn certificate validation off.
Why your web service might not have a valid certificate
You're being hacked! This is the reason for certificates and certificate validation.
The web service is running on a badly configured SSL server.
The certificate has expired and the server isn't being kept up.
The owner of the web service is too cheap to pay for having his certificate signed by a trusted certificate authority.
A development server that isn't exposed to the public may not be worth the trouble of getting a signed certificate.
How to know if the web service doesn't have a properly signed certificate
Visit the web service in a web browser and see if you get a certificate error.
Check for an invalid certificate error within your app.
Alternatives to turning certificate validation off
Get your certificate signed by a trusted certificate authority.
Create your own certificate authority, sign your certificate with your own certificate authority, and install your certificate authority as a trusted certificate authority on the iOS device.
Related
Basically our iOS app needs to communicate with a server which has a self signed certificate for now. In my app, the https is failing with untrusted server certificate which is understandable. The error is like this:
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “my host name here” which could put your confidential information at risk."
So I sent the self signed certificate via email to the iOS device and imported into the profiles and hoping that it would be used as part of root CA for https authentication. To my surprise, it is not and I am still getting the same error. I think that iOS would be default to use root CAs at keychain to validate the server certificate and from what I read, the imported certificate at profiles are at keychain as well. So I could not understand why my imported self signed certificate is not used as root CA.
At this point, I don't really want to trust this self signed certificate via the coding like this iOS authenticate HTTPS with self-signed certificate or In iOS, how to connect to a server using https with self-signed certificate on the server? since this won't work in customer case where they would install our server on their network and they could create their own self signed certificate.
Somehow I didn't really get much information around this from searching. Could anyone shed some lights here and what I need to do to debug this? Thanks very much.
Update on July 15:
More update around this. I also tried to use configuration profile to add a self signed CA to root CA at the iOS device by following Adding Trusted Root Certificate Authorities to iOS , from my testing on 6.0 iPad and iPhone, it doesn't work as well. So not sure if that only works on jail broken device or not. In the end, I end up by allowing user to import a self signed certificate into the app. The app would load such imported certificate for certificate verification similar to this In iOS, how to connect to a server using https with self-signed certificate on the server?. Hope that it would help others in this case.
looking at the first tutorial you linked to you should be able to use that or some more advanced form of that and once you have tested and have it working then all you have to do for a client to create and add their own certificate would be to override/replace the localhost.cer file in the apps folder where the file localhost.cer "or whatever name scheme you use" is located. there are many ways to do this but one could be telling the app a link where the certificate is online for download and once downloaded, then replace.
Any questions I'll try and help further but hopes this helps you in the right direction.
After changing server to ssl ( http --> https ), I'm getting failure block executed and generating the error such as
request timed out
I know AFXMLRequestOperation is subclass of AFHTTPRequestOperation which is a subclass of AFURLConnectionOperation for requests using the HTTP or HTTPS protocols. Therefore, I thought I could get some response back from server, not the above error .
Does anybody experience it before, please help. Any comments are welcomed.
Thanks
It's possible that the ssl certificate you're using on your server is self signed or is not signed by a suitable certificate authority. I would start by investigating that, and then take steps to force your app to connect to the server even though the certificate is abnormally signed.
I have a mobile app that will be communicating with my webserver over https. My question is, do I even need to worry about installing a certificate since all traffic to this api will be headless?
In my understanding, SSL provides the encryption for a request, and a certificate establishes trust for the end user. Because these calls to my webserver will essentially be headless, I'm thinking I don't need to worry about the trust establishment.
Am I correct in this thinking?
You will either need a self-signed certificate or a CA-signed certificate in order to use HTTPS on your server.
If your certificate is not assigned to you by a certificate authority, then any connection you make will trigger an error in your URLRequest that you will have to handle. The problem with an untrusted certificate is that a malicious man-in-the-middle could fake data to and from your server with his own self-signed certificate, and possibly pick up authentication credentials or data that he should not have access to.
If you are dealing with any authentication credentials or other private data, I'd recommend just requesting a signed certificate. If you shop around, you can find cheap signed certificates for $10-20 a year, which is a trivial cost to protect your users.
However, if this is just a personal project (the only data you have to worry about is yours), or any data that you will be sending is freely available, a self-signed certificate may be enough.
My application uses ASIHttpRequest for my server communication. I have a requirement that I should block HTTP protocol cos I dont wont to transmit that data over insecure link. So only SSL over HTTPS will be allowed. Also even thought the link is HTTPS I need to ensure that I am calling to the correct certificate. So I need a server certificate validation in my code. Please guide me how to do this.
I researched on this. I found few possible answers. One is to create a client certificate and do the validation. Also there are ways to "Client certificates support" under ASIHttpRequest documentation. So how to achieve my requirements above. Also integration of CFNetwork code into ASIHttpRequest will also do.
Regards,
Dilshan
You can get a validated certificate from an certificate authority like StartSSL or Thawte. Then iOS checks if the certificate is trusted by an authority. iOS comes with different trusted authorites.
If the server certificate is not validated by an authority the connection is rejected.
You don't need to do something special in code. Only use a https connection.
I have ASP.NET web service on windows server 2003. I have own certificate authority. I use own client certificate on authentification in web service.
I make client certificate. I call web service, everything is ok. Then I revoke this certificate in certification authority. Certificate is in Revoked certificate.
I call web service with this certificate, but web service verify this certificate as good, but this certificate is between revoked. I don't know why? Anybody help me please?
I use this method on verify certificate.
X509Certificate2.Verify Method
I don't get any exception, certificate is between revoked, but web service verify this certificate as good.
to klausbyskov:
Thank you. So I try this :
public void CreateUser(X509Certificate2 cert)
{
ServicePointManager.UseNagleAlgorithm = true;
ServicePointManager.Expect100Continue = true;
ServicePointManager.CheckCertificateRevocationList = true;
ServicePointManager.DefaultConnectionLimit = ServicePointManager.DefaultPersistentConnectionLimit;
if (VefiryCert(cert))
{
//...
}
}
But the revoked certificate is still verify as good
Try setting the CheckCertificateRevocationList property of the ServicePointManager class to true before calling Verify().
Try setting it in applications config file:
Maybe that helps..
Validation is based on various factors.
Does the certificate have Certificate Revocation List Distribution Point (CDP) Extensions and is the CRL accessible? (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.13)
NOTE: CRLs are cached!
The only way to check the validity without almost any delay would be asking the CA itself. But I wouldn't consider this as an option.
For what you are trying to achieve the online responder protocol has been introduced (http://www.ietf.org/rfc/rfc2560.txt).
Does the certificate have an AIA OCSP Extension and do you have an OCSP Responder set up? What are the triggers/intervals of OCSP (as its data is also a CRL)?