login about faq

I am a bit curious on why an SSL connection to PayPal is returning as not verified and not trusted root on my iOS system? I have just followed all your instructions to include SSL library on iOS and then used your sample program to connect to paypal. Can you please let me know where I am going wrong? Perhaps, solving that solves connection to our own server also?

asked Feb 20 '15 at 10:58

chilkat's gravatar image

chilkat ♦♦
11.8k316358420


The Chilkat classes that are capable of using SSL/TLS (Mailman, IMAP, FTP2, HTTP, Socket, etc.) provide a GetSslServerCert method for getting the server's SSL/TLS certificate. When an SSL/TLS client establishes a secure channel, part of the handshake involves the server sending its certificate, and possibly one or more certificates in the chain of authentication up to but not including the root CA cert. The root CA cert must already exist on your system as an already-trusted root CA certificate. On Microsoft Windows systems, these can be located in the registry-based (current user or local machine) CA certificate stores. On a Linux system, there is typically a /etc/ssl/certs/ca-certificates.crt that contains the trusted CA certificates. On iOS or MAC OS X, I am not aware of any pre-defined trusted CA certificate store. (Perhaps I am unaware of its existence?)

In any case, you can download widely accepted (and kept up-to-date) trusted CA certificates from mozilla.org exported to a cacert.pem file by the mk-ca-bundle tool located here: http://curl.haxx.se/docs/caextract.html. You could also obtain only the few CA certs you wish to trust from the issuing certificate authority.

To tell Chilkat to use a set of trusted root CA certs, your app would use the TrustedRoots class (or CkoTrustedRoots / CkTrustedRoots, depending on your programming language).It's simply a matter of instantiating a TrustedRoots object once, loading the certs via any number of calls to the LoadCaCertsPem, AddCert, or AddJavaKeyStore methods, and then calling Activate. The TrustedRoots object instance can then be discarded. After doing this, all Chilkat objects will have access to and trust the trusted CA certs that were activated.

link

answered Feb 20 '15 at 11:10

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

Thank you very much for the explanation. I guess, the following line should be added before creating SSL socket to get the code working:

self.ckoSocket.RequireSslCertVerify = YES

Looks like the value is NO by default and so, the certificate validity is not checked by default. Once it is added, I could get the CkoCert's SignatureVerified and TrustedRoot return YES.

link

answered Feb 23 '15 at 02:42

iOSDev's gravatar image

iOSDev
11

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×94
×56
×48
×32
×12

Asked: Feb 20 '15 at 10:58

Seen: 1,463 times

Last updated: Feb 23 '15 at 02:42

powered by OSQA