Hello!
I have a quirky situation that I am looking for a solution to. The iOS app I am working on needs to be able to communicate with systems that do not have valid root certs. Furthermore, these systems addresses will be sent to the user at run time. The use case is that administrators will provide a self signed certificate (.pem) for the iPhones to download which will then be used to pass the authentication challenge.
I am fairly new to customizing trust and my understanding is that it is very easy to do it incorrectly and expose the app unintentionally.
Here is our users expected workflow:
- An administrator creates a public ip server.
- The ip server is then configured with dns.
- A .pem file that includes a self signed certificate is created for the new dns domain.
- The pem file is distributed to iOS devices to download and enable trust for.
- When they run the app and attempt to establish connection with the server, it will not error with an SSL error.
When I run the app without modification to the URLSessionDelegate method(s) I do get an SSL error.
Curiously, attempting to hit the same address in Safari will not show the insecure warning and proceed without incident.
What is the best way to parity the Safari use case for our app? Do I need to modify the
urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void)
method to examine the NSURLAuthenticationMethodServerTrust? Maybe there is a way to have the delegate look through all the certs in keychain or something to find a match? What would you advise here?
Sincerely thank you for taking the time to help me, ~Puzzled iOS Dev