0

Certificate pinning seems to have stopped working in Alamofire 4 and Swift 3

This is my code

let pathToCert = Bundle.main.path(forResource: "certificate", ofType: "der")
let localCertificate = NSData(contentsOfFile: pathToCert!)!

 let serverTrustPolicy = ServerTrustPolicy.pinCertificates(
            certificates: [SecCertificateCreateWithData(nil, localCertificate)!],
            validateCertificateChain: true,
            validateHost: true
        )

let myServer = "...". //string in format without https://
let serverTrustPolicies = [
            myServer: serverTrustPolicy
        ]

afManager = SessionManager(
            serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
        )

    afManager.request("https://www.google.co.uk", method: .get).response { response in
                //I get status code 200 here, which should NOT happen
                log.info(response)
            }

The certificate loads correctly, this is the certificate

certificate printed inside console

My problem is that I seem to receive status code 200 from my domain and any other domain.

I should not be receiving 200 from other domains

I was told that SSL certificate pinning should not be implemented this way in swift 3 / alamofire 4, could this be true?

Also, could something be wrong with the certificate?

P.S. I tried this code too, but no luck either :(((

let serverTrustPolicies = [
        "*.mydomain.com": serverTrustPolicy
    ]
Darijan
  • 1
  • 4
  • https://github.com/antekarin/ssl-pinning-swift try with this example – BHAVIK Jul 03 '17 at 06:02
  • @BHAVIKPANCHAL does it work for you ? – Darijan Jul 03 '17 at 06:03
  • yes it's work for me – BHAVIK Jul 03 '17 at 06:07
  • @BHAVIKPANCHAL other domains are blocked? what response do you get for other domains? – Darijan Jul 03 '17 at 06:15
  • what you get in response can you show me ? so i will help you. – BHAVIK Jul 03 '17 at 06:19
  • @BHAVIKPANCHAL "All Response Info: DefaultDataResponse(request: Optional(https://www.google.co.uk), response: Optional( { URL: https://www.google.co.uk/ } { status code: 200, headers {\n \"Cache- – Darijan Jul 03 '17 at 06:24
  • @BHAVIKPANCHAL the request should be BLOCKED because it is not my domain – Darijan Jul 03 '17 at 06:27
  • you added the certificate in you project or not And if added then what is name?you have to generate certificate from developer account and add into your project then after you have used – BHAVIK Jul 03 '17 at 06:31
  • @BHAVIKPANCHAL What do you mean "the certificate needs to be generated from developer account"? Please explain... – Darijan Jul 03 '17 at 06:44
  • can you please try this https://stackoverflow.com/questions/31945078/how-to-connect-to-self-signed-servers-using-alamofire-1-3 – BHAVIK Jul 03 '17 at 06:52
  • @BHAVIKPANCHAL I have tried it, no it does not work still. This is my certificate https://i.stack.imgur.com/ER3lq.png – Darijan Jul 03 '17 at 08:35

1 Answers1

0
let hostname = "YOUR_HOST_NAME"
let endpoint = "YOUR_ENDPOINT"
let cert = "YOUR_CERT" // e.g. for cert.der, this should just be "cert"

// Set up certificates
let pathToCert = Bundle.main.path(forResource: cert, ofType: "der")
let localCertificate = NSData(contentsOfFile: pathToCert!)
let certificates = [SecCertificateCreateWithData(nil, localCertificate!)!]

// Configure the trust policy manager
let serverTrustPolicy = ServerTrustPolicy.pinCertificates(
    certificates: certificates,
    validateCertificateChain: true,
    validateHost: true
)    
let serverTrustPolicies = [hostname: serverTrustPolicy]
let serverTrustPolicyManager = ServerTrustPolicyManager(policies: serverTrustPolicies)

// Configure session manager with trust policy
afManager = SessionManager(
    configuration: URLSessionConfiguration.default,
    serverTrustPolicyManager: serverTrustPolicyManager
)


afManager.request(endpoint, method: .get).responseJSON { response in
    debugPrint("All Response Info: \(response)")
}
BHAVIK
  • 890
  • 7
  • 35
  • If I make this request: afManager.request("https://www.google.co.uk", method: .get), I still get status code 200 which is not good. :( – Darijan Jul 03 '17 at 05:50