Problems with SSL Pinning and AFNetworking 2.5.0 (NSURLErrorDomain error -1012.)

ios ssl afnetworking afnetworking-2
22,517

Solution 1

After reading through the AFNetworking code & and checking the change logs, here's what I had to do to get this working.

Create your AFSecurityPolicy object with AFSSLPinningModeCertificate:

AFSecurityPolicy* policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];

By default, AFNetworking will validate the domain name of the certificate. Our certificates are generated on a per-server basis, and not all of them will have a domain name, so we need to disable that:

[policy setValidatesDomainName:NO];

Since the certificates are self-signed, they are technically 'invalid', so we need to allow that as well:

[policy setAllowInvalidCertificates:YES];

Lastly, AFNetworking will attempt to validate the certificate all the way up the certificate chain, which to me seems like it would only go up the chain to OUR CA, but for whatever reason it doesn't, so we have to disable that too:

[policy setValidatesCertificateChain:NO];

And that's it! Set the security policy in your request manager like you're already doing and it should work fine.

So, recap, all you really need to change in the code you posted is this:

A) As David Caunt mentioned, change your pinning mode from AFSSLPinningModeNone to AFSSLPinningModeCertificate

and

B) Add the line to disable validating the domain name: [policy setValidatesDomainName:NO]

Another note, AFNetworking now automatically checks your bundle for .cer files, so if you were to rename your certificate to have a .cer extension, you can eliminate the code to get the certificate data out of the bundle and set the pinned certificates.

Solution 2

since you have manager initialized, you can do:

manager.securityPolicy.allowInvalidCertificates = YES;
manager.securityPolicy.validatesDomainName = NO;

and it will work for a self-signed certificate

Solution 3

I was getting this error, Error Domain=NSURLErrorDomain Code=-1012 NSErrorFailingURLStringKey

The below change alone got it working for me.

self.validatesDomainName = NO;

Solution 4

You're creating an AFSecurityPolicy with SSLPinningMode mode AFSSLPinningModeNone.

For AFNetworking to trust the server, with pinning mode set to AFSSLPinningModeNone, you must set allowInvalidCertificates to YES, but this is the opposite of what you are trying to achieve.

Instead, you should create your security policy with pinning mode AFSSLPinningModeCertificate or AFSSLPinningModePublicKey:

AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];

Solution 5

- (AFSecurityPolicy *)securityPolicy {
    NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"*.something.co.in" ofType:@"cer"];
    NSData *certData = [NSData dataWithContentsOfFile:cerPath];
    AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
    [securityPolicy setAllowInvalidCertificates:YES];
    [securityPolicy setPinnedCertificates:@[certData]];
    [securityPolicy setValidatesDomainName:NO];
    [securityPolicy setValidatesCertificateChain:NO];
    return securityPolicy;
}

This worked for me for some reason. Still not sure how this changes things because other connections in my app work without taking all these steps.

This is what the error generating security policy looks like -

- (AFSecurityPolicy *)securityPolicy {
    NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"*.something.co.in" ofType:@"cer"];
    NSData *certData = [NSData dataWithContentsOfFile:cerPath];
    AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
    [securityPolicy setAllowInvalidCertificates:NO];
    [securityPolicy setPinnedCertificates:@[certData]];
    [securityPolicy setValidatesDomainName:YES];
    return securityPolicy;
}

Now sticking to the "Don't fix if it ain't broken" rule

Share:
22,517
davhab
Author by

davhab

Updated on December 27, 2020

Comments

  • davhab
    davhab over 3 years

    We’ve been having a hard time securing our app’s network connections with SSL using AFNetworking 2.5.0.

    We use a self-signed certificate authority and implemented a custom security policy using pinned certificates.

    We’ve tested quite a few configurations provided by AFNetworking but have not been lucky so far. The error message we receive is:

    2015-01-05 19:03:07.191 AppName[9301:319051] Error updating user journey. Error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7ae056b0 {NSErrorFailingURLKey=https://api.XXX.com/XXX/XXX/, NSErrorFailingURLStringKey=https://api.XXX.com/XXX/XXX/}

    Our certificate works fine on other clients such as cURL and Android. When using HTTP, our implementation works perfectly fine too.

    Is anyone aware of any issues related to pinned certificates and AFNetworking? If yes, we’d appreciate any pointers you may have.

    Here's part of the implementation:

    + (AFSecurityPolicy*)customSecurityPolicy {
   AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeNone];
   NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"filename" ofType:@"der"];
   NSData *certData = [NSData dataWithContentsOfFile:cerPath];
   [securityPolicy setAllowInvalidCertificates:NO];
   [securityPolicy setValidatesCertificateChain:NO];
   [securityPolicy setPinnedCertificates:@[certData]];
   return securityPolicy;
}

+ (AFHTTPRequestOperationManager*)customHttpRequestOperationManager {
   AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager];
   manager.securityPolicy = [self customSecurityPolicy]; // SSL
   return manager;
}

+(void)getRequestWithUrl:(NSString*)url success:(void(^)(AFHTTPRequestOperation *operation, id responseObject))success failure:(void(^) (AFHTTPRequestOperation *operation, NSError *error))failure {
   [[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:YES];
   AFHTTPRequestOperationManager *manager = [HttpClient customHttpRequestOperationManager];
   manager.responseSerializer = [AFHTTPResponseSerializer serializer];
   [manager GET:url parameters:nil success:^(AFHTTPRequestOperation *operation, id responseObject) {
       [[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:NO];
       success(operation, responseObject);
   } failure:^(AFHTTPRequestOperation *operation, NSError *error) {
       [[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:NO];
       failure(operation, error);
   }];
}

    Thank you!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

AFNetworking 2.0 : Cannot POST with JSON from IOS
Wanted: Up-to-date example for JSON/POST with basic auth using AFNetworking-2
AFHTTPSessionManager header
Response failure when using AFHTTPRequestOperationManager
How to compare SSL certificates using AFNetworking
AFNetworking getting json value. URL doesn't work
A server with the specified hostname could not be found in AFNetworking
Passing parameter in url for GET method using afnetworking
Switching from http to https. Invalid certificate
How to get status code in AFNetworking