Check SSL myself?

Discussion in 'iOS Programming' started by ArtOfWarfare, May 21, 2014.

  1. ArtOfWarfare, May 21, 2014
    Last edited: May 21, 2014

    ArtOfWarfare macrumors 604

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #1
    Updated questions below - stuff before the update probably not necessary anymore.

    I'm using MKNetworkKit to handle the nitty gritty HTTPS communications with my server in my iOS app.

    I'm using a self-signed certificate, because I can securely communicate with both my server and client (because the code is installed via Apple's iOS App Store and not downloaded over the open internet as a typical web app is).

    It's using https and have the ssl argument set to YES.

    Here's the problem: my certificate is getting rejected somewhere along the way and I'm not sure how/where. I want to replace whatever checks are taking place right now with a simple check of the fingerprint on the certificate - if the fingerprint is correct, then the client is communicating securely with my server. If the fingerprint is wrong, then a man-in-the-middle attack is taking place and someone else is pretending to be my server.

    Here's the logged output:

    Code:
    Test Suite 'All tests' started at 2014-05-21 22:32:53 +0000
    Test Suite 'iOSAPITests.xctest' started at 2014-05-21 22:32:53 +0000
    Test Suite 'iOSAPITests' started at 2014-05-21 22:32:53 +0000
    Test Case '-[iOSAPITests testGetNull]' started.
    2014-05-21 18:32:53.675 xctest[2235:303] -[MKNetworkEngine reachabilityChanged:] [Line 210] Server [mydomain.com] is reachable via Wifi
    2014-05-21 18:32:54.222 xctest[2235:303] -[MKNetworkOperation connection:willSendRequestForAuthenticationChallenge:] [Line 1148] Certificate is invalid, continuing without credentials. Might result in 401 Unauthorized
    2014-05-21 18:32:54.276 xctest[2235:2203] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
    2014-05-21 18:32:54.303 xctest[2235:303] -[MKNetworkOperation operationFailedWithError:] [Line 1505] Wednesday, May 21, 2014 at 6:32:54 PM Eastern Daylight Time
    Request
    -------
    curl -X GET 'https://mydomain.com:80/myapp/.json', [The certificate for this server is invalid. You might be connecting to a server that is pretending to be “mydomain.com” which could put your confidential information at risk.]
    Port 80 isn't a typo in the logs, in case you caught that. I really have https running off of port 80 on my server, just because it's not working for some reason when I switch it to port 334... I'll investigate that later... I don't think it's related to this certificate authentication issue...

    Updated questions
    I solved the prior issue by setting shouldContinueWithInvalidCertificate to YES on each operation as I created it.

    So now my operations work and communications are encoded, but I can't be certain on the client end that a man-in-the-middle attack isn't taking place.

    I need a way to test the certificate myself. MKNetworkKit uses NSURLConnection... is it possible for me to get at the certificate and test it?

    This page here:
    https://developer.apple.com/library...rotectionSpace_Class/Reference/Reference.html

    Suggests that I should read

    But that's not a link. I've googled for it and haven't found anything yet.
     
  2. astronomic macrumors newbie

    Joined:
    Aug 3, 2010
    #2

    Check this out for ssl pinning:
    https://github.com/iSECPartners/ssl-conservatory/tree/master/ios
     
  3. ArtOfWarfare thread starter macrumors 604

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #3
    I have three thoughts on this:
    1 - Awesome! It looks easy to drop in alongside MKNetworkKit!
    2 - It says to see the LICENSE file, but there's no such file in the repository... There's no license information at the top of any of the files as far as I can tell, either.
    3 - That this exists makes me feel more comfortable - I wasn't sure that I really had a case where using self-signed certificates was the right thing because there's so much documentation saying it's only suitable for intranet apps and sites. But the read me more concisely says what I was thinking, that my list of servers is known.

    Heck, they even have it set up to allow me to change certificates periodically just like I was planning on.
     

Share This Page