AFNetworking SSL Pinning Expired Certificates

About

Asked 26/2, 2014 at 22:46 Answered 19/3, 2017 at 11:47

How do you update expired ssl certificates if ssl pinning is used on ios apps? It seems like only an app update would enable updating the certificate but then users who don't update the app will not receive this update.

Schlenger answered 26/2, 2014 at 22:46 Comment(0)

The key is to understand the possible values for AFSecurityPolicy's pinningMode.

AFSSLPinningModeCertificate means that the certificate provided by the server must match exactly one of the pinned certificates, which by default are the certificates in your app bundle. This is the mode you are currently using.

AFSSLPinningModePublicKey means that the certificate provided by the server must contain the same public key as one of the certificates pinned by your app.

If you use AFSSLPinningModePublicKey and renew (update) your server certificate with the same keypair, your iOS app will continue to work without modification.

Gerita answered 27/2, 2014 at 16:25 Comment(7)

Are you sure AFSSLPinningModePublicKey means that the server must have been signed by the same key, as opposed to having the certificate contain the same public key as the reference one (which would generally make more sense)? – Salutary 27/2, 2014 at 16:39

@Salutary Thanks, I've amended the explanation to make it clearer. – Gerita 27/2, 2014 at 16:42

No worries, good answer anyway, I was actually just looking at the bottom of the file you linked to, it said indeed "Validate host certificates against public keys of pinned certificates.". – Salutary 27/2, 2014 at 16:43

what about if you have to change the key upon renewing the certificate? – Schlenger 27/2, 2014 at 20:14

If you change the key, the certificate won't match for either pinning mode, and you'll have to get your users to update the app. – Gerita 28/2, 2014 at 14:41

Is it true that AFSSLPinningModePublicKey does not check the expiration date of the bundled certificate? I'm having trouble determining if this is the case as you seem to have indicated. – Peon 1/8, 2016 at 21:57

One would assume so – the idea with public key pinning is that new certificates can be issued and deployed to a server, and old clients continue to function. – Gerita 2/8, 2016 at 13:52

To address the second part of the question, yes users with old versions will be locked out.

To lower the impact, a common strategy is to include the new certificate alongside the soon to be expired certificate. This gives users a few 'buffer' versions they can be on and still have access after the changeover.

Ebby answered 19/3, 2017 at 11:47 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags