Untrusted certificate error for NSURLSession not working with Custom protocol in iOS 10

Question

I use a NSURLSession in a NSURLProtocol for catching some traffic and channeling it through a proxy for UIWebView. When i browser HTTPS site which is having invalid certificate then UIWebView fails with:

Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “revoked.grc.com” which could put your confidential information at risk." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=, NSErrorFailingURLStringKey=, NSErrorPeerCertificateChainKey=( "", "" ), NSErrorClientCertificateStateKey=0, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “revoked.grc.com” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x170255420 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=( "", "" )}}, _kCFStreamErrorCodeKey=-9807}

in iOS 9 and below but in iOS 10 it gives the following error:

Error Domain=kCFErrorDomainCFNetwork Code=310 "There was a problem communicating with the secure web proxy server (HTTPS)." UserInfo={NSErrorFailingURLStringKey=, NSErrorFailingURLKey=, _kCFStreamErrorCodeKey=-2096, _kCFStreamErrorDomainKey=4, NSLocalizedRecoverySuggestion=Please check your proxy settings. For help with this problem, contact your system administrator., NSLocalizedDescription=There was a problem communicating with the secure web proxy server (HTTPS).}

So in iOS 10 i am not able to figure-out the way for untrusted sites which are passing through proxy. If i browser a site with invalid certificate without proxy in NSURLProtocol(i.e. NSURLSession) then it also working fine in iOS 10.

Implementation of didReceiveChallenge delegate method.

AppDelegate *appDelegate = (AppDelegate *)[UIApplication sharedApplication].delegate; if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]){ SecTrustRef trust = [[challenge protectionSpace] serverTrust]; SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, 0); if ([[appDelegate certStore] containsCertificate:cert]) { completionHandler(NSURLSessionAuthChallengeUseCredential,[NSURLCredential credentialForTrust:trust]); return; } } completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);

Answer 1

You will get error code 310 if the underlying request accesses a certificate via proxy on iOS 10. Which means It's not secured to issue an HTTP request to get certificates via proxy. This happens when iOS needs to get or update an intermediate certificate, a standalone process securityd issues the request.

You should make the cert request go without proxy by:

• Temporally turn off the proxy
• Or mark any request ends with .crt not using proxy

Then you should get the right certificate and code will continue to run.