SSL Pinning with AFNetworking

Question

Hello,

I'm trying to make a pinning SSL with AFNetworking 2.5.4 (with a Comodo Certificate) but when i set securityPolicy.validatesCertificateChain = true don´t work.

I grab my certificate (CER) from the server.

openssl s_client -connect example.com:443 -showcerts

Grab the output between the first -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and save it to example.pem

Convert from PEM to CER (DER):

openssl x509 -outform der -in example.pem -out example.cer

Then, i add example.cer to my Xcode project and i add it to the 'Copy Bundle Resources' Build Phase. My SecurityPolicy are:

let securityPolicy = AFSecurityPolicy(pinningMode: AFSSLPinningMode.PublicKey)
let certificatePath = NSBundle.mainBundle().pathForResource("example", ofType: "cer")! 
let certificateData = NSData(contentsOfFile: certificatePath)! 
securityPolicy.pinnedCertificates = [certificateData]; 
securityPolicy.validatesDomainName = true 
securityPolicy.allowInvalidCertificates = false 
securityPolicy.validatesCertificateChain = false 
manager.securityPolicy = securityPolicy

With this SSL Pininning works but I want not only validate the leaf certificate for that i change

securityPolicy.validatesCertificateChain = true

But with that configuration throws me the following error:

Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)

I have read if securityPolicy.validatesCertificateChain = true i must enter the entire SSL certificate chain but I do not know how to generate it.

I tried with following code but not work (i get the same error):

openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -outform DER > example.cer

How do I get the entire SSL certificate chain for add to Xcode?

Security

6.2k

Posted by

corocraft

Reply

Add a Comment

Answer 1

iOS Multitasking isn't the right place for this question. I'm moving it to the Security forum where you'll have a better chance at getting an answer.

Posted by

pdm

Add a Comment

Answer 2

I don't know AFNetworking well enough to help you with this question. If no one else chimes in, I recommend you do one of the following:

Ask your AFNetworking question via AFNetworking's support channel, the details of which are on their web site.
Recast your question in terms of Apple APIs (NSURLSession, Security framework) at which point I can tackle it here.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

Answer 3

Is the cert valid? Try:

openssl s_client -showcerts -connect www.domain.com:443

and see what it says. My guess is that the web server isn't missing some intermediate certificates. Most web browsers use Authority Information Access to extend the certificate chain, so you might not even notice such a misconfiguration normally. But when you try to access the server using AFNetworking (which I doubt supports AIA), your requests will fail because the certificate chain is incomplete.

And at least up until a couple of days ago, missing intermediate certs in the chain would be a fatal error with AFNetworking even when you pin the certs. I think they've changed that behavior very recently so that it stops checking beyond the pinned cert.

Check out this thread and the follow-on git pull for more info:

https://github.com/AFNetworking/AFNetworking/issues/2744

Posted by

dgatwood

Add a Comment

Answer 4

You need to put all the certificates in your chain when using securityPolicy.validatesCertificateChain = true

Posted by

Anthony Beylerian

Add a Comment

Answer 5

validatesCertificateChain was removed in AFNetworking 2.6: https://github.com/AFNetworking/AFNetworking/pull/2856

Posted by

grmpfl

Add a Comment

SSL Pinning with AFNetworking

Replies