0

I'm working on an iOS app, and we'd like to secure our private API trough SSL.

Everything is fine on server-side, and our Android app already connects to HTTPS. On iOS, on the other side, I'm stuck.

I'm using AFNetworking, so :

  • As this topic explains, I simply added our .cer file to my bundle
  • Since we use a self-signed certificate, I also added :

_

AFHTTPRequestOperationManager *requestManager = [AFHTTPRequestOperationManager manager];

requestManager.securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];

requestManager.securityPolicy.allowInvalidCertificates = YES;

Certificate is found by AFNetworking, but our server refuses the authentication, and returns an ugly 400.

Since I'm reaaally new to SSL, any tips on how to find where this fails would be greatly appreciated. Can we log something server-side or anything like that to "investigate"?

Community
  • 1
  • 1
Thomas Hermine
  • 18
  • 5
  • Is the url connecting through `https://`? If its not it will spit back a 400 every time. I just had to deal with this dealing with a Google API. It wouldn't work unless the url started with `https://` – Chase Walden May 20 '14 at 16:18
  • @ChaseWalden Yup, I do connect to https... – Thomas Hermine May 20 '14 at 16:32
  • If the server is the 'refuser', you might want to check your server side config and make sure it isn't refusing the connection due to a misconfiguration. Your server could be refusing it because it is self signed. Do you have a debugging proxy to view the outgoing http request. Try Charles Web Proxy, which is cross platform. Use it to look at your outgoing request. – Chase Walden May 20 '14 at 16:36
  • Ok, I finally got what was wrong : - If I provide a base-64 encoded .cer file, iOS crash because AFNetworking/iOS does not support base-64 encoded certificates - But on the server-side, Nginx requires a base-64 encoded certificate. So it tries to decode the non-encoded certificate. But how can we solve this, without replacing Nginx? – Thomas Hermine May 20 '14 at 20:59
  • You will need to overwrite the AFHTTPRequestSerializer to convert the NSData into base64. – Chase Walden May 20 '14 at 21:15
  • Perhaps this will help: http://www.experts-exchange.com/Hardware/Apple_Hardware/iPhone/A_2402-import-self-signed-certificates-into-iPhone.html – Chase Walden May 20 '14 at 21:27

1 Answers1

2

I would advise not to use the pinning mode you are using. It is not as maintainable as "setDefaultSSLPinningMode:AFSSLPinningModePublicKey" which gets the certificates from the server.

This way you can put in a valid .cer file into your app bundle once, and then in the future, as long as you keep renewing your certificates using the same public and private key (.key file), you won't have to update your app.

Consider that option. If you try that and keep your settings the same to allow invalid certificates, you should be able to get it working. Things get a little trickier when you don't allow untrusted certs.

Marcel Gruber
  • 6,668
  • 6
  • 34
  • 60