Added validatesSecureCertificate property to turn off SSL cert validation for te…

…sting with self-signed certs

Added validatesSecureCertificate property to turn off SSL cert validation for te…
…sting with self-signed certs
Ben Copsey
Commit e81d5707a04634e2436f83897ed2208977112133 e81d5707 1 parent e0588624
Showing 4 changed files with 49 additions and 2 deletions
Classes/ASIHTTPRequest.h
Classes/ASIHTTPRequest.m
Classes/Tests/ASIHTTPRequestTests.h
Classes/Tests/ASIHTTPRequestTests.m
--- a/Classes/ASIHTTPRequest.h
View file @e81d570
+++ b/Classes/ASIHTTPRequest.h
View file @e81d570
@@ -217,6 +217,9 @@ extern NSString* const NetworkRequestErrorDomain;
 	// When YES, requests will automatically redirect when they get a HTTP 30x header (defaults to YES)
 	BOOL shouldRedirect;
+	
+	// When NO, requests will not check the secure certificate is valid (use for self-signed cerficates during development, DO NOT USE IN PRODUCTION) Default is YES
+	BOOL validatesSecureCertificate;
 }
@@ -401,4 +404,5 @@ extern NSString* const NetworkRequestErrorDomain;
 @property (assign) BOOL useHTTPVersionOne;
 @property (assign, readonly) unsigned long long partialDownloadSize;
 @property (assign) BOOL shouldRedirect;
+@property (assign) BOOL validatesSecureCertificate;
 @end
--- a/Classes/ASIHTTPRequest.m
View file @e81d570
+++ b/Classes/ASIHTTPRequest.m
View file @e81d570
@@ -97,6 +97,7 @@ static NSError *ASIUnableToCreateRequestError;
 	[self setTimeOutSeconds:10];
 	[self setUseSessionPersistance:YES];
 	[self setUseCookiePersistance:YES];
+	[self setValidatesSecureCertificate:YES];
 	[self setRequestCookies:[[[NSMutableArray alloc] init] autorelease]];
 	[self setDidFinishSelector:@selector(requestFinished:)];
 	[self setDidFailSelector:@selector(requestFailed:)];
@@ -434,6 +435,11 @@ static NSError *ASIUnableToCreateRequestError;
 	// Tell CFNetwork to automatically redirect for 30x status codes
 	CFReadStreamSetProperty(readStream, kCFStreamPropertyHTTPShouldAutoredirect, [self shouldRedirect] ? kCFBooleanTrue : kCFBooleanFalse);
+	// Tell CFNetwork not to validate SSL certificates
+	if (!validatesSecureCertificate) {
+		CFReadStreamSetProperty(readStream, kCFStreamPropertySSLSettings, [NSMutableDictionary dictionaryWithObject:(NSString *)kCFBooleanFalse forKey:(NSString *)kCFStreamSSLValidatesCertificateChain]); 
+	}
+	
     // Set the client
 	CFStreamClientContext ctxt = {0, self, NULL, NULL, NULL};
     if (!CFReadStreamSetClient(readStream, kNetworkEvents, ReadStreamClientCallBack, &ctxt)) {
@@ -1350,12 +1356,28 @@ static NSError *ASIUnableToCreateRequestError;
 {
 	NSError *underlyingError = [(NSError *)CFReadStreamCopyError(readStream) autorelease];
+	
+	
 	[self cancelLoad];
 	[self setComplete:YES];
 	if (![self error]) { // We may already have handled this error
-		[self failWithError:[NSError errorWithDomain:NetworkRequestErrorDomain code:ASIConnectionFailureErrorType userInfo:[NSDictionary dictionaryWithObjectsAndKeys:@"A connection failure occurred",NSLocalizedDescriptionKey,underlyingError,NSUnderlyingErrorKey,nil]]];
+		
+		NSString *reason = @"A connection failure occurred";
+		
+		// We'll use a custom error message for common SSL errors, but you should always check underlying error if you want more details
+		if ([[underlyingError domain] isEqualToString:NSOSStatusErrorDomain]) {
+			if ([underlyingError code] == errSSLUnknownRootCert) {
+				reason = [NSString stringWithFormat:@"%@: Secure certificate had an untrusted root",reason];
+			} else if ([underlyingError code] == errSSLCertExpired) {
+				reason = [NSString stringWithFormat:@"%@: Secure certificate expired",reason];
+			} else if ([underlyingError code] >= -9807 || [underlyingError code] <= -9818) {
+				reason = [NSString stringWithFormat:@"%@: SSL problem (probably a bad certificate)",reason];
+			}
+		}
+		
+		[self failWithError:[NSError errorWithDomain:NetworkRequestErrorDomain code:ASIConnectionFailureErrorType userInfo:[NSDictionary dictionaryWithObjectsAndKeys:reason,NSLocalizedDescriptionKey,underlyingError,NSUnderlyingErrorKey,nil]]];
 	}
     [super cancel];
 }
@@ -1640,4 +1662,5 @@ static NSError *ASIUnableToCreateRequestError;
 @synthesize authenticationRetryCount;
 @synthesize updatedProgress;
 @synthesize shouldRedirect;
+@synthesize validatesSecureCertificate;
 @end
--- a/Classes/Tests/ASIHTTPRequestTests.h
View file @e81d570
+++ b/Classes/Tests/ASIHTTPRequestTests.h
View file @e81d570
@@ -32,5 +32,5 @@
 - (void)testCharacterEncoding;
 - (void)testCompressedResponse;
 - (void)testCompressedResponseDownloadToFile;
-
+- (void)testSSL;
 @end
--- a/Classes/Tests/ASIHTTPRequestTests.m
View file @e81d570
+++ b/Classes/Tests/ASIHTTPRequestTests.m
View file @e81d570
@@ -616,4 +616,24 @@
 	GHAssertTrue(success,@"Failed to correctly display increment progress for a partial download");
 }
+- (void)testSSL
+{
+	NSURL *url = [NSURL URLWithString:@"https://selfsigned.allseeing-i.com"];
+	ASIHTTPRequest *request = [ASIHTTPRequest requestWithURL:url];
+	[request start];
+	
+	GHAssertNotNil([request error],@"Failed to generate an error for a self-signed certificate");		
+	
+	// Just for testing the request generated a custom error description - don't do this! You should look at the domain / code of the underlyingError in your own programs.
+	BOOL success = ([[[request error] localizedDescription] isEqualToString:@"A connection failure occurred: Secure certificate had an untrusted root"]);
+	GHAssertTrue(success,@"Basic synchronous request failed");
+	
+	// Turn off certificate validation, and try again
+	request = [ASIHTTPRequest requestWithURL:url];
+	[request setValidatesSecureCertificate:NO];
+	[request start];
+	
+	GHAssertNil([request error],@"Failed to accept a self-signed certificate");	
+}
+
 @end