How can we tell CFStream to use a set of anchor certificates?

Question

How can we tell CFStream to use a set of anchor certificates?

I know that we can use SecTrustSetAnchorCertificates () taking into account SecTrustRef. But with CFStreams, we can only gain trust after a hand shake. One way to solve the problem is to disable certificate chain validation in CFStream using the kCFStreamSSLValidatesCertificateChain property, and then obtain peer certificates using kCFStreamPropertySSLPeerCertificates, creating trust from these certificates, and evaluating trust.

But it would be much cleaner if we could just tell CFStream to use an array of certificates as an anchor. Hope too much?

+1

ios stream iphone ssl trust

Plumenator Jan 12 '11 at 12:38

source share

1 answer

Plumenator · Accepted Answer · 2012-04-03T22:19:10+0000

eskimo1 from Apple Devforums responded like this:

First disable automatic trust verification using kCFStreamSSLValidatesCertificateChain.

Secondly, as soon as the thread is up and running (I usually do this in my message processing “can accept bytes” or “has access to bytes”), you will get the SecTrust object from the stream using kCFStreamPropertySSLPeerTrust and appreciate this trust for yourself. If the trust check fails, merge the stream.

How can we tell CFStream to use a set of anchor certificates?

More articles: