I'm using macOS native framework to sent https requests (nsurlsession). In order to handle TLS flows of server-side authentication, I've implemented the didReceiveChallenge callback.
In my special case, My https request's URL composed of IP instead of URL, so i'd like to remove one default check of matching the URL with the server certificate's common name, but remains all the other checks. Perhaps anybody can verify my code ?
Thanks
is it possible to eliminate this check for specific connections ?
UPDATE:
Thanks to the comment below by Larme, I was able to further research the topic and bind the hostname check to a specific URL instead of the ip address.
- (void)URLSession:(NSURLSession*)session
didReceiveChallenge:(NSURLAuthenticationChallenge*)challenge
completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition,
NSURLCredential* credential))completionHandler {
if (challenge.protectionSpace.authenticationMethod ==
NSURLAuthenticationMethodServerTrust) {
BOOL allow = true;
if (URL_IS_IP) {
SecTrustRef trust;
trust = challenge.protectionSpace.serverTrust;
OSStatus err;
SecPolicyRef policy;
policy = SecPolicyCreateSSL(true, CFSTR("matchinUrl.com"));
err = SecTrustSetPolicies(trust, policy);
if (err == errSecSuccess) {
allow = evaluateTrust(trust);
}
CFRelease(policy);
}
if (allow) {
completionHandler(
NSURLSessionAuthChallengeUseCredential,
[NSURLCredential credentialForTrust:trust]);
} else {
completionHandler(
NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
}
} else {
completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
}
}
