push serverTrust from NSURLProtocol to NSURLSessionDelegate

Question

Created Aug ’15

Replies 1

Boosts 0

Participants 2

Hi,

I am implementing an NSURLProtocol subclass, that really handles its own protocol using NSInputStream/NSOutputStream instances inside. It's not just wrapping HTTP. Additionally, I need to cope with self-signed certificates. So I have the serverTrust object at hand, resulting from the TLS handshake done for me by NSStream. Now I would like to call [NSURLProtocolClient URLProtocol:didReceiveAuthenticationChallenge:] from "inside" the NSURLSession machinery such that the NSURLSessionDelegate implementation "outside" can do the certificate- / public-key-pinning as we all know and love from HTTPS connections using NSURLSession.

Alas, there is no [NSURLProtectionSpace initWithServerTrust:] 😟

At the end I want the NSURLSessionDelegate to do the [challenge.protectionSpace serverTrust] boogie, but that seems to be impossible when using NSURLSession subclasses. What am I missing?

Thanks!

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’15

This is not possible. The fundamental problem is that there’s no equivalent to

-connection:canAuthenticateAgainstProtectionSpace:

in

NSURLProtocolClient

. That’s required because NSURLConnection delegates are not expecting to be sent arbitrary challenges via

-connection:didReceiveAuthenticationChallenge:

; for anything except simple user name and password challenges, they have to opt in via

-connection:canAuthenticateAgainstProtectionSpace:

.

I called out this limitation in the read me of the CustomHTTPProtocol sample code.

Having said that this usually isn’t a problem because either you control the client (that is, the NSURLConnection delegate) or you don’t. If you do, you can use some private handshake to get at the authentication challenges. If you don’t, then sending them arbitrary challenges isn’t going to do anything useful anyway.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0