Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASIHTTPRequest.validatesSecureCertificate once set to NO can never be reverted #263

Closed
ikarius opened this issue Oct 5, 2011 · 4 comments
Closed

ASIHTTPRequest.validatesSecureCertificate once set to NO can never be reverted #263

ikarius opened this issue Oct 5, 2011 · 4 comments

Comments

@ikarius
Copy link
Contributor

ikarius commented Oct 5, 2011

Hi all,

Title is self explanatory.

If 'validatesSecureCertificate' is set to NO once, it can never be reverted, even on new requests.

Tried this test case:

-(void)testValidateSSLCertificateTwice
{
    NSURL *url = [[[NSURL alloc] initWithString:@"https://someselfsignedurl"] autorelease];
    ASIHTTPRequest *request = [[[ASIHTTPRequest alloc] initWithURL:url] autorelease];
    // Setup onee
    request.validatesSecureCertificate = NO;
    [request startSynchronous];

    BOOL success = [request error] == nil && [request complete];


    GHAssertTrue(success, @"SSL error: should NOT have error");

    request = nil;

    request = [[[ASIHTTPRequest alloc] initWithURL:url] autorelease];
    request.validatesSecureCertificate = YES;
    [request startSynchronous];

    success = [request error] != nil;

    GHAssertTrue(success, @"SSL error: should have a NSError and no response data");
}

This is somehow related to kCFStreamPropertySSLSettings / kCFStreamSSLValidatesCertificateChain that can never be reverted once set to true.
ikarius added a commit to ikarius/asi-http-request that referenced this issue Oct 5, 2011
@ikarius
Patched issue pokeb#263 - (can't revert 'validatesSecureCertificate' …
6600374 
…once set to 'NO' on new requests)
greenisus added a commit that referenced this issue Oct 5, 2011
@greenisus
Merge pull request #264 from ikarius/master
c27b8f5 
issue #263 - proposed patch
ikarius added a commit to ikarius/asi-http-request that referenced this issue Oct 6, 2011
@ikarius
Issue pokeb#263
f117953 
ASIFormDataRequest has a default 'GET' method (should be 'POST' by
default)
greenisus added a commit that referenced this issue Oct 7, 2011
@greenisus
Merge pull request #268 from ikarius/master
4282568 
Patched issue #263 (if needed)
@shezban
Copy link

shezban commented Dec 5, 2011

I am facing the same issue even with v1.8.1-61 2011-09-19, which is having the code fixes as said above in Ref "6600374".
Any solution of this particular issue.

Thanks

@ikarius ikarius mentioned this issue Dec 5, 2011
Merged
@shezban
Copy link

shezban commented Dec 5, 2011

Issue is, library is not reverting the SSL properties, when user resets validatesSecureCertificate from NO to YES. Though user is saying to perform SSL validation but at OS level, SSL properties are set for not to perform SSL validation [sets when validatesSecureCertificate sets as NO] . Hence library is not giving any error with self-signed certificates and validatesSecureCertificate as YES.

Solution for this is as follows:

  • (void)startRequest
    {

    //
    // Handle SSL certificate settings
    //

    if([[[[self url] scheme] lowercaseString] isEqualToString:@"https"]) {

    // Tell CFNetwork not to validate SSL certificates
if (![self validatesSecureCertificate]) {
    // see: http://iphonedevelopment.blogspot.com/2010/05/nsstream-tcp-and-ssl.html

    NSDictionary *sslProperties = [[NSDictionary alloc] initWithObjectsAndKeys:
                              [NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates,
                              [NSNumber numberWithBool:YES], kCFStreamSSLAllowsAnyRoot,
                              [NSNumber numberWithBool:NO],  kCFStreamSSLValidatesCertificateChain,
                              kCFNull,kCFStreamSSLPeerName,
                              nil];

    CFReadStreamSetProperty((CFReadStreamRef)[self readStream], 
                            kCFStreamPropertySSLSettings, 
                            (CFTypeRef)sslProperties);
    [sslProperties release];
}

    /* Need to add this else loop - Following needs to add to revert back the SSL settings */
    else {
    NSDictionary *sslProperties = [[NSDictionary alloc] initWithObjectsAndKeys:
    [NSNumber numberWithBool:NO], kCFStreamSSLAllowsExpiredCertificates,
    [NSNumber numberWithBool:NO], kCFStreamSSLAllowsAnyRoot,
    [NSNumber numberWithBool:YES], kCFStreamSSLValidatesCertificateChain,
    nil];

        CFReadStreamSetProperty((CFReadStreamRef)[self readStream], 
                            kCFStreamPropertySSLSettings, 
                            (CFTypeRef)sslProperties);
    [sslProperties release];            
}

}

Thanks
Shivani

@ikarius
Copy link
Contributor Author

ikarius commented Dec 5, 2011

Hi Shivani,

A patch (merely identical to your code), has already been submitted and merged.

jogu added a commit that referenced this issue Jan 13, 2012
@jogu
Merge pull request #282 from gradha/fixes_dictionary_memory_leak
4afac5d 
Fixes dictionary memory leak when certificate checking is disabled. Refs #263.

Problem was introduced in commit:6600374880762608baed7e632bce73d45666768b.
@jogu
Copy link
Collaborator

jogu commented Jan 14, 2012

Closing based on ikarius's comment

@jogu jogu closed this as completed Jan 14, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ikarius @jogu @shezban