Geek Answers Handbook

Failed to open secure site using custom CA

I am writing an iOS application that uses socket.io ( socket.io-objc library) to connect to local and remote servers. My connection to the remote server already uses TLS without any problems. Remote servers have certificates signed by a known CA. Now I want to protect the local connection as well. However, these local certificates cannot be signed by a well-known CA.

So far, I have created my own CA certificate and used it to sign the local server certificate. I believe this works because if I manually installed the CA certificate on my iPad, I can connect to the server.

Now I am trying to install the CA certificate automatically in the application using this article as a reference. The problem I'm facing is that although it seems that I can successfully add the certificate to the keychain for my application, my socket connection does not seem to use it.

When launched, my application installs CA:

NSBundle *bundle = [NSBundle bundleForClass:[self class]];
NSData *iosTrustedCertDerData = [NSData dataWithContentsOfFile:[bundle pathForResource:@"myRootCA" ofType:@"der"]];
SecCertificateRef certificate = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef) iosTrustedCertDerData);

CFDictionaryRef dict = (__bridge CFDictionaryRef)([NSDictionary dictionaryWithObjectsAndKeys:
                        (__bridge id) (kSecClassCertificate), kSecClass,
                        certificate, kSecValueRef,
                        nil]);

OSStatus err = SecItemAdd(dict, NULL);
if (err == noErr) {
    NSLog(@"####### IT WORKS!!!!!!!!!");
}
else if (err == errSecDuplicateItem) {
    NSLog(@"###### IT WAS ALREADY THERE!!!");
}
else {
    NSLog(@"####### IT BROKEN!!!!!!!!");
}

The first time this happened, he printed "IT WORKS". Now he prints "ALREADY AVAILABLE". This is as expected. Then, when I try to connect, I just open socket.io connection, as usual.

SocketIO* socketIO = [[SocketIO alloc] initWithDelegate:self];
socketIO.useSecure = YES;
[socketIO connectToHost:url onPort:port];

This results in an error:

The certificate for this server is not valid. Perhaps you are connecting to a server that is pretending to be "myserver.local", which could threaten your sensitive information.

, , . , / , SecItemAdd. , , . / CA, socket.io-obj SocketRocket, ?

. . , , ( ).

+1
1

, . , iPhone. , ""? (.. , Safari ?) , , , ( , , ), , :

. Im SecTrust . iPhone. , , NSURLConnection .

. ( , : " . , , iOS , ." )

, NSURLConnection SecTrustEvaluate . .

, ; , , . , - , , .

socket.io, NSURLConnection. socket.io, .

, . 5. .

+1

More articles:


All Articles