Archived Forum Post

Index of archived forum posts

Question:

Verify SSL/TLS Server Certificate on iOS?

Feb 23 '15 at 02:42

I am a bit curious on why an SSL connection to PayPal is returning as not verified and not trusted root on my iOS system? I have just followed all your instructions to include SSL library on iOS and then used your sample program to connect to paypal. Can you please let me know where I am going wrong? Perhaps, solving that solves connection to our own server also?


Answer

The Chilkat classes that are capable of using SSL/TLS (Mailman, IMAP, FTP2, HTTP, Socket, etc.) provide a GetSslServerCert method for getting the server's SSL/TLS certificate. When an SSL/TLS client establishes a secure channel, part of the handshake involves the server sending its certificate, and possibly one or more certificates in the chain of authentication up to but not including the root CA cert. The root CA cert must already exist on your system as an already-trusted root CA certificate. On Microsoft Windows systems, these can be located in the registry-based (current user or local machine) CA certificate stores. On a Linux system, there is typically a /etc/ssl/certs/ca-certificates.crt that contains the trusted CA certificates. On iOS or MAC OS X, I am not aware of any pre-defined trusted CA certificate store. (Perhaps I am unaware of its existence?)

In any case, you can download widely accepted (and kept up-to-date) trusted CA certificates from mozilla.org exported to a cacert.pem file by the mk-ca-bundle tool located here: http://curl.haxx.se/docs/caextract.html. You could also obtain only the few CA certs you wish to trust from the issuing certificate authority.

To tell Chilkat to use a set of trusted root CA certs, your app would use the TrustedRoots class (or CkoTrustedRoots / CkTrustedRoots, depending on your programming language).It's simply a matter of instantiating a TrustedRoots object once, loading the certs via any number of calls to the LoadCaCertsPem, AddCert, or AddJavaKeyStore methods, and then calling Activate. The TrustedRoots object instance can then be discarded. After doing this, all Chilkat objects will have access to and trust the trusted CA certs that were activated.


Answer

Thank you very much for the explanation. I guess, the following line should be added before creating SSL socket to get the code working:

self.ckoSocket.RequireSslCertVerify = YES

Looks like the value is NO by default and so, the certificate validity is not checked by default. Once it is added, I could get the CkoCert's SignatureVerified and TrustedRoot return YES.