iphone - Determining Trust With NSURLConnection and NSURLProtectionSpace -


good day everyone,

i ask followup question posed question. i've got code create nsurlrequest/connection, run , have callback methods authentication called. here's specific code:

- (bool)connection:(nsurlconnection *)connection canauthenticateagainstprotectionspace:(nsurlprotectionspace *)protectionspace {     return [protectionspace.authenticationmethod isequaltostring:nsurlauthenticationmethodservertrust] || [protectionspace.authenticationmethod isequaltostring:nsurlauthenticationmethoddefault]; }  -(void)connection:(nsurlconnection *)connection didreceiveauthenticationchallenge:(nsurlauthenticationchallenge *)challenge {         if ([challenge previousfailurecount] > 0) {         [[challenge sender] cancelauthenticationchallenge:challenge];         nslog(@"bad username or password");         badusernameandpassword = yes;         finished = yes;         return;     }      if ([challenge.protectionspace.authenticationmethod isequaltostring:nsurlauthenticationmethodservertrust])     {         if (appdelegate._allowinvalidcert)         {             // go ahead...trust me!             [challenge.sender usecredential:              [nsurlcredential credentialfortrust: challenge.protectionspace.servertrust]                   forauthenticationchallenge: challenge];         }         else         {             trustgenerator *tg = [[trustgenerator alloc] init];              if ([tg gettrust:challenge.protectionspace])             {                 // go ahead...trust me!                 [challenge.sender usecredential:                  [nsurlcredential credentialfortrust: challenge.protectionspace.servertrust]                       forauthenticationchallenge: challenge];             }             else {                 [[challenge sender] cancelauthenticationchallenge:challenge];             }         }     }     else if ([[challenge protectionspace] authenticationmethod] == nsurlauthenticationmethoddefault) {         nsurlcredential *newcredential = [nsurlcredential credentialwithuser:_username password:_password persistence:nsurlcredentialpersistencenone];         [[challenge sender] usecredential:newcredential forauthenticationchallenge:challenge];     } }

what i'm running "didreceiveauthenticationchallenge" "[challenge.protectionspace.authenticationmethod isequaltostring:nsurlauthenticationmethodservertrust]" always being called, when certificate on server i'm attempting connect trusted (doing testing verisign cert). i'm seeing application prompting end user trust when website trusted. bad karma considering that's what's suppose happen man in middle attack, etc. i'm looking code this:

        if (appdelegate._allowinvalidcert)         {             // go ahead...trust me!             [challenge.sender usecredential:              [nsurlcredential credentialfortrust: challenge.protectionspace.servertrust]                   forauthenticationchallenge: challenge];         }         else if(the os trusts cert on server)         {              [challenge.sender usecredential:                  [nsurlcredential credentialfortrust: challenge.protectionspace.servertrust]                       forauthenticationchallenge: challenge];         }         else{...

thanks guys!

so spent few days researching this. looks while nsurlconnection api cannot determine if certificate trusted, there's method in security framework handels that. here's code came with:

-(void)connection:(nsurlconnection *)connection didreceiveauthenticationchallenge:(nsurlauthenticationchallenge *)challenge {         if ([challenge previousfailurecount] > 0) {         [[challenge sender] cancelauthenticationchallenge:challenge];         nslog(@"bad username or password");         badusernameandpassword = yes;         finished = yes;         return;     }      if ([challenge.protectionspace.authenticationmethod isequaltostring:nsurlauthenticationmethodservertrust])     {          sectrustresulttype result;         //this takes servertrust object , checkes against keychain         sectrustevaluate(challenge.protectionspace.servertrust, &result);          if (appdelegate._allowinvalidcert)         {             [challenge.sender usecredential:              [nsurlcredential credentialfortrust: challenge.protectionspace.servertrust]                   forauthenticationchallenge: challenge];         }         //when testing against trusted server got ksectrustresultunspecified every time. other 2 match description of trusted server         else if(result == ksectrustresultproceed || result == ksectrustresultconfirm ||  result == ksectrustresultunspecified){             [challenge.sender usecredential:              [nsurlcredential credentialfortrust: challenge.protectionspace.servertrust]                   forauthenticationchallenge: challenge];         }         else         {             //asks user trust             trustgenerator *tg = [[trustgenerator alloc] init];              if ([tg gettrust:challenge.protectionspace])             {                  //may need add method add servertrust keychain firefox's "add excpetion"                 [challenge.sender usecredential:                  [nsurlcredential credentialfortrust: challenge.protectionspace.servertrust]                       forauthenticationchallenge: challenge];             }             else {                 [[challenge sender] cancelauthenticationchallenge:challenge];             }         }     }     else if ([[challenge protectionspace] authenticationmethod] == nsurlauthenticationmethoddefault) {         nsurlcredential *newcredential = [nsurlcredential credentialwithuser:_username password:_password persistence:nsurlcredentialpersistencenone];         [[challenge sender] usecredential:newcredential forauthenticationchallenge:challenge];     } }

Comments

Post a Comment

Popular posts from this blog

apache - Add omitted ? to URLs -

i working on website cms reads page name of query string, e.g. http://exmaple.com/?pagename . trying create rewrite rule rewrite ? . so, user types in /pagename , taken /?pagename try this: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^/?(.*) index.php?$1 [l]
Read more

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

i using bbpress installation without wordpress integration. the redirect of rewriteengine @ forum site works: rewriteengine on rewritecond %{http_host} ^forum.mysite.com$ rewriterule (.*)$ http://www.forum.mysite.com/$1 [r=301,l] the problem login pppress. bbpress login not recognize: http://www.forum.mysite/bb-login.php . it redirects to: http://forum.mysite.com/bb-login.php . i tried permalink settings none , name based, same issue. does uses redirect in bbpress or how can eliminate "double" content , redirect permanently www.? i redirected www.forum.mysite.com forum.mysite.com , achieved eliminate "double" content.
Read more

php - How can I stop spam on my custom forum/blog? -

so have custom built forum & blog system of late has been dealing lot of spam. if wordpress use akismet, if different common platform i'm sure i'd find plugin. there kind of static class can download this? using php. i'd still go akismet, if it. uses outside of wordpress, may have pay fee it, depending on use -- check terms , conditions -- it's option , easy implement in php using api. use api key wordpress. com account access. basically, grab whichever php client library takes fancy -- use alex potsides' php5 library -- plug in key, , it's handful of lines of code. here's bare bones of validation straight 1 of live sites: ... if ($akismet) { $akismet->setcommentauthor($name); $akismet->setcommentauthoremail($session->userinfo["email"]); $akismet->setcommentauthorurl(""); $akismet->setcommentcontent($sentence);...
Read more