SSL/TLS server running on an iOS device

Question

It is possible to build an SSL/TLS server which is running on an iOS device? If yes, how?

My doubts are related to these questions: On the device, can I create on the fly a self-signed certificate to be used from then on? Or can I tell SSL/TLS not to use certificates?

In my iOS app I'm using AsyncSocket. The app is at the same time both client and server.

The client-side is implemented in this way:

- (void)onSocket:(AsyncSocket *)sock didConnectToHost:(NSString *)host port:(UInt16)port {
    // Don't even validate the certificate chain
    NSDictionary *settings = @{(NSString *)kCFStreamSSLValidatesCertificateChain : (id)kCFBooleanFalse};

    [sock startTLS:settings];
}

- (void)onSocketDidSecure:(AsyncSocket *)sock {
    // omitted: send the message...
}

The server-side (which is running on another iOS device) is implemented in this way:

- (void)onSocket:(AsyncSocket *)sock didConnectToHost:(NSString *)host port:(UInt16)port {
    // Don't even validate the certificate chain
    NSDictionary *settings = @{(NSString *)kCFStreamSSLValidatesCertificateChain : (id)kCFBooleanFalse,
                            (NSString *)kCFStreamSSLIsServer : (id)kCFBooleanTrue};

    [sock startTLS:settings];
}

- (void)onSocketDidSecure:(AsyncSocket *)sock {
    // omitted: read the message...
}

However, when the client attempts to connect to the server, the delegate's method onSocket:willDisconnectWithError: is called, with the error Domain=kCFStreamErrorDomainSSL Code=-9848.

Answer 1

It is possible to build an SSL/TLS server which is running on an iOS device? If yes, how?

Absolutely. I have used CocoaHTTPServer with SSL/TLS both on the simulator and on the device for testing purposes. To use client certificates you need to make some modifications, most of these are in a patch in their GitHub issues list.

Can you create certs on the fly on iOS? Not that I know of.

Can you tell SSL to not use certificates? Ummm. Even if you could, what would be the point of using SSL? The certificates are what "secures" the transport. SSL is a model of trust, with the parties on either end of the link evaluating the trust of the other party. If you are creating certs on the fly, or attempting to not use certs period, you are invalidating that trust model - you are not securing much of anything.