I am trying to establish a secure connection to the SSLServerSocket java server.
I created my own root CA and signed a certificate that uses SSLServerSocket Java using this certificate.
I want to add this root certificate to my application so that any certificate signed by the root certificate works.
So far, Iβm sure that a secure connection works fine by setting the read and write properties for this:
NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys: (id)kCFStreamSocketSecurityLevelNegotiatedSSL, kCFStreamPropertySocketSecurityLevel, [NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates, [NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredRoots, [NSNumber numberWithBool:NO], kCFStreamSSLValidatesCertificateChain,nil];
I add the certificate to the keychain as follows:
-(void)addRootCert{ NSString* rootCertPath = [[NSBundle mainBundle] pathForResource:@"rootCA" ofType:@"der"]; NSData* rootCertData = [NSData dataWithContentsOfFile:rootCertPath]; OSStatus err = noErr; SecCertificateRef rootCert = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)rootCertData); NSDictionary* dict = [NSDictionary dictionaryWithObjectsAndKeys:(__bridge_transfer id)kSecClassCertificate, kSecClass, rootCert, kSecValueRef, nil]; err = SecItemAdd((__bridge CFDictionaryRef) dict, NULL); if (err == noErr) { NSLog(@"Sucessfully added root certificate"); }else if (err == errSecDuplicateItem){ NSLog(@"Root certificate already exists"); }else{ NSLog(@"Root certificate add failed"); } }
This is fine, but I want to check the certificate chain so that my application accepts only certificates signed by my CA (or standard trusted)
How can i do this?
If I set kCFStreamSSLValidatesCertificateChain to yes, I get an error: CFNetwork SSLHandshake failed (-9807) , but if it isnβt, it doesnβt matter who signed the server certificate, it will connect independently (I assume that is correct?)
Thanks!
ios ssl sockets certificate-authority root-certificate
Alexander North
source share