Function

SSLSetAllowsAnyRoot

Specifies whether root certificates from unrecognized certification authorities are allowed.

Declaration

OSStatus SSLSetAllowsAnyRoot(SSLContextRef context, Boolean anyRoot);

Parameters

context

An SSL session context reference.

anyRoot

A Boolean flag specifying whether root certificates from unrecognized certification authorities (CAs) are allowed. The default for this flag is false, specifying that roots from unrecognized CAs are not allowed.

Return Value

A result code. See Secure Transport Result Codes.

Discussion

The system maintains a set of root certificates signed by known, trusted root CAs. When the anyRoot flag is true, Secure Transport does not return an error if one of the following two conditions occurs:

  • The peer returns a certificate chain with a root certificate, and the chain verifies to that root, but the CA for the root certificate is not one of the known, trusted root CAs. This results in an errSSLUnknownRootCert result code when the anyRoot flag is false.

  • The peer returns a certificate chain that does not contain a root certificate, and the server can’t verify the chain to one of the trusted root certificates. This results in an errSSLNoRootCert result code when the anyRoot flag is false.

Both of these error conditions are ignored when the anyRoot flag is true, allowing connection to a peer for which trust could not be established.

If you use this function to allow an untrusted root to be used for validation of a certificate—for example, after prompting the user for permission to do so—remember to set the anyRoot Boolean value back to false. If you don’t, any random root certificate can be used for signing a certificate chain. To add a certificate to the list of trusted roots, use the SecTrustSetAnchorCertificates function.

See Also

Legacy Operations

SSLNewContext

Creates a new Secure Sockets Layer (SSL) session context.

Deprecated
SSLDisposeContext

Disposes of a Secure Sockets Layer (SSL) session context.

Deprecated
SSLSetProtocolVersionEnabled

Sets the allowed Secure Sockets Layer (SSL) protocol versions.

Deprecated
SSLGetProtocolVersionEnabled

Retrieves the enabled status of a given protocol.

Deprecated
SSLSetRsaBlinding

Enables or disables RSA blinding.

Deprecated
SSLGetRsaBlinding

Obtains a value indicating whether RSA blinding is enabled.

Deprecated
SSLSetProtocolVersion

Sets the SSL protocol version.

Deprecated
SSLGetProtocolVersion

Gets the SSL protocol version.

Deprecated
SSLGetAllowsAnyRoot

Obtains a value specifying whether an unknown root is allowed.

Deprecated
SSLSetAllowsExpiredRoots

Specifies whether expired root certificates are allowed.

Deprecated
SSLGetAllowsExpiredRoots

Retrieves the value indicating whether expired roots are allowed.

Deprecated
SSLSetTrustedRoots

Augments or replaces the default set of trusted root certificates for this session.

Deprecated
SSLCopyTrustedRoots

Retrieves the current list of trusted root certificates.

Deprecated
SSLSetAllowsExpiredCerts

Specifies whether certificate expiration times are ignored.

Deprecated
SSLGetAllowsExpiredCerts

Retrieves the value specifying whether expired certificates are allowed.

Deprecated
SSLSetEnableCertVerify

Enables or disables peer certificate chain validation.

Deprecated
SSLGetEnableCertVerify

Determines whether peer certificate chain validation is currently enabled.

Deprecated
SSLSetEncryptionCertificate

Specifies the encryption certificates used for this connection.

Deprecated
SSLCopyPeerCertificates

Retrieves a peer certificate and its certificate chain.

Deprecated