SSL Pinning with AFNetworking

ios ssl afnetworking
BigLex picture BigLex · May 17, 2013 · Viewed 11.2k times · Source

In my app I'm using https and a self-signed SSL certificate to secure the connection between my client and the server.

I was trying to have the AFNetworking library do SSL Pinning on a copy of my certificate bundled in the app.

In the AFURLConnectionOperation header I defined both:

#define _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ =1
#define _AFNETWORKING_PIN_SSL_CERTIFICATES_ =1

And before calling the start on my AFJSONRequestOperation I set the SSLPinningMode property to AFSSLPinningModeCertificate.

But when trying to perform a JSON request I keep getting the following error:

Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. 
(NSURLErrorDomain error -1012.)" UserInfo=0x758f120 
{NSErrorFailingURLKey=https://mydomain.com,
NSErrorFailingURLStringKey=https://mydomain.com}

In the AFURLConnectionOperation header I read that the SSL Pinning works with .cer certificates but in my self-hosted OS X webserver I have a .crt certificate.

Is this the problem? Is there a way to make AFNetworking work with .crt?

On a windows box I converted my .crt to .cer and tried to bundle that into my app but I still get the same error. Should I try to switch the .crt file with the newly created .cer even on the server side?

Answer

jpswain picture jpswain · Jun 24, 2013

I got it working.

I was in the situation where I had created a self-signed cert for to hit my own server API from my iOS App. I created my cert with OpenSSL. When I was done creating it, I had several files, one of which was "server.crt". Initially, I tried just renaming it to "server.cer", and using "AFSSLPinningModeCertificate" for my AFURLConnectionOperation objects. That did not work, and I noticed the example uses "AFSSLPinningModePublicKey", so I tried that, still no luck.

So I compared my file (that was the renamed ".crt" file) to his.
I noticed that "server.crt" was base64-encoded, and like this:

-----BEGIN CERTIFICATE-----
394230AFDFD... 
-----END CERTIFICATE-----

I noticed from Mattt's example in AFNetworking that the "adn.cer" file he uses is not base64-encoded. It is just raw bytes. So, I did this:

$ base64 -D -i ./server.crt -o ./server.cer

I set my AFURLConnectionOperation to AFSSLPinningModePublicKey.
I put that back in the project and did a clean and build of my iOS project, and everything worked fine.

Hope this helps!!

Btw, you may notice that Xcode will display info for for your ".crt" or ".cer" key whether it is the base64 or the raw one, so don't let that confuse you. You should be able to see the certificate data in either case, it's just that AF will only accept the raw (non-base64) one.

UPDATE:
Anyone having trouble with base64, this what works for me on OS X using OpenSSL:

$ openssl base64 -d -in ./server.crt -out ./server.cer

Related questions

Problems with SSL Pinning and AFNetworking 2.5.0 (NSURLErrorDomain error -1012.)

We’ve been having a hard time securing our app’s network connections with SSL using AFNetworking 2.5.0. We use a self-signed certificate authority and implemented a custom security policy using pinned certificates. We’ve tested quite a few configurations provided …

Read More
CFNetwork SSLHandshake failed iOS 9

has anyone with the iOS 9 beta 1 had this issue? I use standard NSURLConnection to connect to a webservice and as soon as a call is made to the webservice i get the below error. This is currently working in iOS 8.3 …

Read More
Using SSL in an iPhone App - Export Compliance

I'm looking at creating an iPhone app that will communicate with a REST Web service. Because some user-sensitive data (name, address, age, etc) will be transmitted, I'm looking at securing the connections with SSL. However, on my previous escapades into …

Read More