iphone - Cannot view Quicktime movies over HTTPS in Safari or UIWebView

Question

I am trying to get my iPhone application to work with HTTPS in addition to HTTP, but using UIWebView or MPMoviePlayerController to view a Quicktime MOV file doesn't seem to work over HTTPS. I get "This movie could not be played". I tried in Safari to eliminate my app as being the problem, and the same thing happened. If I use HTTP, it works fine.

This thread has a similar discussion, but no resolution: http://discussions.apple.com/thread.jspa?messageID=12908818

I am not using self-signed certs; my machine has a registered SSL cert, and I pushed both the GoDaddy intermediate cert and the normal cert to my iPad (4.2.1) using iPhone configuration utility. I verified this works because Safari doesn't prompt me about the certificate when visiting the secured site, like it would before. I can view the movie over HTTPS using normal browsers such as FF or Safari on OSX, just not iOS. It also appears to work in the simulator as well, but I have tried both iPhone 4.1 and iPad 4.2.1.

Is there any workaround that will let me view video over HTTPS?

Answer 1

After experiencing the very same problem and symptoms, I was able to gain access to the Apple Developer Forum thread mentioned here

The upshot of the Apple thread is that you must have a valid Intermediate Certificate installed on the server. It is not enough to have only the server certificate installed.

I have tested this with Mac OS X 10.6 Server. I installed the server certificate and while desktop browsers were able to stream a video over HTTPS, iOS devices (iPhone and iPad) both gave the "This movie could not be played" error.

Installing the Intermediate Certificate fixed the problem.

Other devices, like Android phones and tablets, and RIM PowerBook (via Flash) had no problems playing the video without the Intermediate Certificate. I suspect it is a case of iOS being overzealous with its security, a "Feature" if not a bug ;-)

I'm not a PKI expert, so I cannot tell you why this works. Perhaps another contributor can explain the PKI voodoo behind this.