I'm using the ASIFormDataRequest class from the ASIHTTPRequest library to talk to a .NET web service over an HTTPS connection.
I'd like to make a solution that eliminates the need for SSL security, but the SSL certificate expires sooner than I can get an update to the AppStore.
I'm wondering what will happen when the app makes an ASIFormDataRequest after the certificate has expired. Will an error be thrown?
If certificate checking is enabled (which is the default) then any requests to a server with an expired ssl certificate will fail with an error.
Related
While applying an iOS app developed by me to FUT. They were able to intercept, view and modify all traffic between the app and the server even though the traffic was sent over SSL.
A selfsigned certificate was installed on the phone prior to testing. The app traffic was then redirected to a proxy server which presents the self-signed certificate.
In order to bypass the SSL Pinning, the team has hooked on the runtime of the application (process) and have injected code on runtime, which has disabled the function which checks for the SSL Pinning to be made with the corresponding server.
In case this help. I am using Alamofire 4.7.2, Moya 11.0.2
I have no idea about how to do the ssl pinning, please help.
How do I install a certified TLS certificate on an iOS app?
I assume there also needs to be the ability to send a new certificate over the network to the app in the future, if need be, and how exactly would that work?
I assume once it's installed that Apple will handle the entire handshake process of the device side?
Had some trouble finding explicit answers to these questions online.
Assuming that what you are describing is a signed SSL certificate for your domain name, the only thing you will need to do is install it on your web server. When your application makes a request to your web server, the server will send the certificate to the client during the initial HTTPS handshake, and the client will verify it automatically.
I understand the use and necessity of SSL Certificates. I am looking for a detailed explanation of the relationship between http protocol and SSL Certificate and also between https and SSL Certificate.
In AFNetworking defining _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ allows invalid certificates.
Assuming this flag is not set, the library should deny invalid certificates by default. But what if the server has no certificate installed at its end? I see that I can access a server with no certificate using http protocol.
And does the default certificate validation occur for https protocol only?
I want to access only those servers with a certificate and which are valid over http and https? Is this feature required and if so is it possible?
I think you don't understand what HTTP and HTTPS are about:
http is the session protocol to communicate with servers without encryption. Everything is sent in the clear and there is also no way to verify the authenticity of the server (i.e. that the server responding is indeed having the correct hostname). A server doesn't need an SSL certificate in this case.
https is used when you want to ensure that communication with the server is encrypted. For this, the server needs an SSL certificate and before anything is sent over the HTTP session, a handshake will take place allowing the client to fetch the SSL certificate of the server in order to encrypt the data that is sent. So an SSL certificate is only used for HTTPS connections.
It is also possible to verify the authenticity of the server, depending on the SSL certificate used. All browsers (and by default on iOS, unless you explicitely change this in your app) will only accept SSL certificates that have been issued by known certification authorities. This way you can be sure that the server is indeed located at the hostname you requested. Depending on the SSL certificate the owner of the server might also be verified (i.e. that the server indeed belongs to the company it claims to belong to).
I have an iPhone app , that needs to make secure connection to my webservice
I have a CA which i created and want to add to the app, so that it creates the connection and authenticates my server
I am using restkit 0.20.3 to make the requests.
How do i configure the AFHHTTPClient to trust my certificate ?
Only adding the your URL as https:// formate will do because your information will be encrypted based on the SSL certificate
In ASIHttpRequest Client certificates support
If your server requires the use of client certificates, as of v1.8 it is now possible to send them with your request.
// Will send the certificate attached to the identity (identity is a SecIdentityRef)
[request setClientCertificateIdentity:identity];
// Add an additional certificate (where cert is a SecCertificateRef)
[request setClientCertificates:[NSArray arrayWithObject:(id)cert]];
There is a helper function in ClientCertificateTests.m in the iPhone / iPad sample app that can create a SecIdentityRef from PKCS12 data (this function only works on iOS).
and look here for more info about handling the self signed certificate at iOS end:
Use a self-signed ssl certificate in an iphone app
iPhone: install certificate for SSL connection
I'm fairly new to SSL and secure connections in general. What are the major steps required for an iOS app to talk to a server over a secure communications channel?
I'm aware that an SSL certificate will probably be necessary. I'm planning to purchase one from a trusted certificate authority. However I'm not sure if both the app and the server need certificates or if it's just the server. Also I'm not sure how to handle SSL errors. Perhaps there's a library that can help with this like ASIHTTPRequest or similar.
If you are using HTTPS as your protocol for communication and have valid certificates on your server all that should be required is changing your http:// to https:// on your client. For HTTP libraries a very popular option now is AFNetworking. It is a bit better maintained than ASI and has some nice block features not supported by ASI.
As far as SSL errors, it is usually a good idea to present the warnings to end users (through alert views or some other means). They could point to real security attacks (but more likely will point to miss configured or expired certificates).