Open ehren opened 8 years ago
@ehren thanks for the detailed write up. If this is something you are blocked on then using the projected APIs (or WRL just like in foundation) may be your best bets. We do need to think through what is the right way to expose the windows extensions from NSURL*, will look into this discuss with the team on where we can place this in our road map.
It would be nice if the standard iOS APIs could be used for supporting client certificates and for finer grained control of server certificate chain validation.
Here's an incomplete NSURLSessionDelegate example showing providing of a client certificate:
However, looking a little at
https://msdn.microsoft.com/en-us/library/windows/apps/windows.web.http.httpclient.aspx and https://msdn.microsoft.com/en-us/library/windows.web.http.filters.httpbaseprotocolfilter.aspx
plus their use in Foundation/NSURLProtocol_WinHTTP.mm
it appears there's some mismatch between the iOS and Windows APIs that would make supporting these iOS APIs difficult.
My usecases are to
1) provide a client cert
2) ignore invalid hostname chain validation errors of the server cert but otherwise perform a complete chain validation.
For example, an invalid hostname in the server cert can be ignored in iOS at challenge time by implementing the didReceiveChallenge: delegate method
On windows, one can ignore an
InvalidName
ChainValidationResult
:https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.chainvalidationresult.aspx
by specifying the
HttpBaseProtocolFilter.IgnorableServerCertificateErrors
atHttpClient
creation time - prior to the request: https://msdn.microsoft.com/en-us/library/windows/apps/windows.web.http.filters.httpbaseprotocolfilter.ignorableservercertificateerrors(While one can set a handler for: https://msdn.microsoft.com/en-us/library/windows/apps/windows.web.http.filters.httpbaseprotocolfilter.servercustomvalidationrequested this would not be called if OS validation fails - so the only approach is to use the
IgnorableServerCertificateErrors
property to allow anInvalidName
but otherwise performing a complete chain validation)So it's looking like the best/fastest approach for handling these usecases in my app may be to just use alternative networking code on windows making use of the projections in WindowsWebHttp.h and WindowsWebHttpFilters.h
However, I wonder if providing a windows specific extension to NSURLSession (and NSURLConnection if desired) in order to get access to the
HttpBaseProtocolFilter
created in NSURLProtocol_WinHTTP.mm would be a viable approach. If someone think so let me know (otherwise I'll likely go forward with just using the Windows APIs directly via the projections).