tencent cloud

HTTPS (Non-SNI) Scenario
Download PDF
Last updated: 2025-09-05 17:52:26
HTTPS (Non-SNI) Scenario
Last updated: 2025-09-05 17:52:26
Download PDF

Principles

During certificate verification, replace the IP with the original domain name and perform certificate verification.

Demo Example

NSURLSession API Example

 #pragma mark - NSURLSessionDelegate
- (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust forDomain:(NSString *)domain {

    Create a certificate validation policy
    NSMutableArray *policies = [NSMutableArray array];
    if (domain) {
        [policies addObject:(__bridge_transfer id)SecPolicyCreateSSL(true, (__bridge CFStringRef)domain)];
    } else {
        [policies addObject:(__bridge_transfer id)SecPolicyCreateBasicX509()];
    }

    Bind the validation policy to the server certificate
    SecTrustSetPolicies(serverTrust, (__bridge CFArrayRef)policies);

    Evaluate whether the current serverTrust is trusted
    //The official recommendation is that serverTrust can be verified when result = kSecTrustResultUnspecified or kSecTrustResultProceed.
    //https://developer.apple.com/library/ios/technotes/tn2232/_index.html
    //For detailed information about SecTrustResultType, see SecTrust.h    
    SecTrustResultType result;
    SecTrustEvaluate(serverTrust, &result);

    return (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed);
}

- (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * __nullable credential))completionHandler {
    if (!challenge) {
        return;
    }

    NSURLSessionAuthChallengeDisposition disposition = NSURLSessionAuthChallengePerformDefaultHandling;
    NSURLCredential *credential = nil;

    //Get original domain name info
    NSString *host = [[self.request allHTTPHeaderFields] objectForKey:@"host"];
    if (!host) {
        host = self.request.URL.host;
    }
    if ([challenge.protectionSpace.authenticationMethod  isEqualToString:NSURLAuthenticationMethodServerTrust]) {
        if ([self evaluateServerTrust:challenge.protectionSpace.serverTrust forDomain:host]) {
            disposition = NSURLSessionAuthChallengeUseCredential;
            credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
        } else {
            disposition = NSURLSessionAuthChallengePerformDefaultHandling;
        }
    } else {
        disposition = NSURLSessionAuthChallengePerformDefaultHandling;
    }

    // For the rest challenges, use default verification scheme
    completionHandler(disposition,credential);
}

NSURLConnection API Example

#pragma mark - NSURLConnectionDelegate
- (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust forDomain:(NSString *)domain {

    Create a certificate validation policy
    NSMutableArray *policies = [NSMutableArray array];
    if (domain) {
        [policies addObject:(__bridge_transfer id)SecPolicyCreateSSL(true, (__bridge CFStringRef)domain)];
    } else {
        [policies addObject:(__bridge_transfer id)SecPolicyCreateBasicX509()];
    }

    Bind the validation policy to the server certificate
    SecTrustSetPolicies(serverTrust, (__bridge CFArrayRef)policies);

    Evaluate whether the current serverTrust is trusted
    //The official recommendation is that serverTrust can be verified when result = kSecTrustResultUnspecified or kSecTrustResultProceed.
    //https://developer.apple.com/library/ios/technotes/tn2232/_index.html
    //For detailed information about SecTrustResultType, see SecTrust.h    
    SecTrustResultType result;
    SecTrustEvaluate(serverTrust, &result);
    return (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed);
}

- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
    if (!challenge) {
        return;
    }

    //The host in the URL is set to an IP when using HTTPDNS. Obtain the actual domain from the HTTP Header here.
    NSString *host = [[self.request allHTTPHeaderFields] objectForKey:@"host"];
    if (!host) {
        host = self.request.URL.host;
    }

    //Check whether the challenge's identity authentication method is NSURLAuthenticationMethodServerTrust (this authentication process is performed in HTTPS mode).
    //Perform the default network request process when the identity authentication method is not configured.
    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
        if ([self evaluateServerTrust:challenge.protectionSpace.serverTrust forDomain:host]) {        

            //After verified, construct an NSURLCredential and send to the initiator    
            NSURLCredential *credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
            [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
        } else {
            //Verification failed, cancel the verification process
            [[challenge sender] cancelAuthenticationChallenge:challenge];
        }
    } else {

        //Directly perform the workflow for other verification methods
        [[challenge sender] continueWithoutCredentialForAuthenticationChallenge:challenge];
    }
}

Unity WWW API Example

Export the Unity project as an Xcode project, open the Classes/Unity/WWWConnection.mm file, and modify the following code:
//const char* WWWDelegateClassName = "UnityWWWConnectionSelfSignedCertDelegate";
const char* WWWDelegateClassName = "UnityWWWConnectionDelegate";
changed to
const char* WWWDelegateClassName = "UnityWWWConnectionSelfSignedCertDelegate";
//const char* WWWDelegateClassName = "UnityWWWConnectionDelegate";

Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback