Sign in to follow this  

Self signed SSL certificate with iOS

This topic is 674 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I want to connect to my LAMP server (http://www.gamedev.net/topic/674296-mysqlphp-on-amazon-aws-or-alternative/page-1#entry5268738) from my iOS game by SSL.

 

Some questions:

  • Will a self signed SSL certificated do? I read somewhere on stackoverflow that self signed certificates were unsafe. Are they really unsafe in my case, where I'm in control of both the server and the iOS client? 
  • Is it ok to use a self signed certificate in this way, or will my app be rejected by Apple?
  • A self signed certificate renders a warning on the client side. Will that warning lead to troubles with NSURLSession?

Share this post


Link to post
Share on other sites
First: The solution you want to use is this:

https://letsencrypt.org/

If you stop here, and go use that, you're good.


Second, to answer the questions:

Will a self signed SSL certificated do?


Perhaps. If you embed your own copy of openssl, yes, you can tell it to use your own certificate. Then you have to use your own HTTPS code; you can't use the built-in library.

Another option is to install the root certificate you used to generate the signing certificate that you used to generate your own certificate into the root certificate store of the phone. This is not simple and puts up annoying warnings to the user.
 

Is it ok to use a self signed certificate in this way, or will my app be rejected by Apple?


If you go with option 1, then Apple won't reject it. If you do the second thing, I'm not so sure. Enterprises do this kind of thing to their employees phones, but that may be under the "enterprise" option of the app store, rather than the "general availability."
 

A self signed certificate renders a warning on the client side.


That warning is generated by the Safari browser, not by the OS. The browser may use the NSUrlSession class callbacks to implement this warning. See the documentation:
 

When a server requests authentication or provides credentials during TLS negotiation, the URL session calls methods on its delegate, allowing you to handle the authentication or certificate validation in a custom manner.


You can presumably do the right thing by handling enough of the following methods:

https://developer.apple.com/library/ios/documentation/Foundation/Reference/NSURLSession_class/


That seems like it defeats a bit of the purpose, though -- if you're not going to verify that the SSL connection is not tampered with, then what benefit is using SSL giving you? Edited by hplus0603

Share this post


Link to post
Share on other sites
If you go to startssl.com you can get a properly recognised ssl certificate for free. It isn't one of these strange community regulated things like cacert, and is a proper certificate authority.

The downside is If you need it revoked there is a nominal charge.

Full disclosure: I paid a membership fee which is optional, to get unlimited wildcards and code signing certs for a year. This is very cheap and well worth it btw.

Hope this helps!

Edit: letsencrypt looks very interesting hplus, I am going to read up on it later, thanks! :D

Share this post


Link to post
Share on other sites

This topic is 674 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this