AFNetworking need to bypass ssl check

Question

AFNetworking need to bypass ssl check

I have an application that connects directly to hardware routers. Since iOS 9 I updated AFNetworking and now I get ssl errors when I try to connect via https .

This is not a problem with iOS 9 App Transport Security since I added the appropriate .plist entry to get around it, and the connections work fine on http .

I need to bypass certificate verification, since each router has its own certificate, so I obviously can not add certificates to my application, since each user is different.

I use the AFHTTPRequestOperation subclass for connections and set self.securityPolicy.allowInvalidCertificates = YES; but I get the following error:

Connection error: Domain error = NSURLErrorDomain Code = -1200 "An SSL error occurred and a secure connection to the server could not be made." UserInfo = {_ kCFStreamErrorCodeKey = -9806, NSLocalizedRecoverySuggestion = Do you want to connect to the server? anyway ?, NSUnderlyingError = 0x7fa9f3611b40 {Error Domain = kCFErrorDomainCFNetwork Code = -1200 "An SSL error has occurred and a secure connection to the server is not possible." UserInfo = {NSErrorFailingURLStringKey = https://myserver.com:4780/Info.htm , NSLocalizedRecoverySuggestion = Do you want to connect to the server? anyway ?, _kCFNetworkCFStreamSSLErrorOriginalValue = -9806, _kCFStreamPropertySSLClientCertificateState = 0, NSLocalizedDescription = SSL error and a secure connection to the server could not be made., _kCFStreamErrorDomainKeyrermerererererererererererererererererererererererferrmererring_remerfery = -9806}}, NSLocalizedDescription = An SSL error occurred and a secure connection to the server could not be created. NSErrorFailingURLKey = https://myserver.com:4780/Info.htm , NSErrorFailingURLStringKey = https://myserver.com:4780/Info.htm , _kCFStreamErrorDomainKey = 3}

I also tried adding setWillSendRequestForAuthenticationChallengeBlock: however the block is never called.

Can anybody help?

thanks

EDIT ----- Setting self.securityPolicy.validatesDomainName = NO; also does not work. Interestingly, there is no problem with the type of certificate on the hardware.

EDIT 2 ----- Here is the certificate

New, TLSv1 / SSLv3, Cipher is the public key DES-CBC3-SHA Server 2048 bit Secure Renegotiation is NOT supported by compression: NONE Extension: NONE SSL session: protocol: SSLv3 Cipher: DES-CBC3-SHA Session identifier: 010000000C6B8632215649C0665E9DCC9B2222B2222B2222B2272B220072B22BB22B ctx: Master key: D71EC7D8F7A4A3581E25CDAD9C532B2C7B4DA8B513AF337095496B575F525CFBA02A40797B2D2A4F0B5911EFEFC3623F Key-Arg: no Start time: 1443102149 Self-signed (Confirm): Timeout: 1848: Confirm: 1841

EDIT 3 -------- Adding this code to my subclass of AFHTTPRequestOperation makes it work on iOS 8, however the block is not even called in iOS 9.

 [self setWillSendRequestForAuthenticationChallengeBlock:^(NSURLConnection * _Nonnull connection, NSURLAuthenticationChallenge * _Nonnull challenge) { NSLog(@"**** HERE ****"); if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge]; } [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge]; }];

+5

ios ssl https afnetworking afnetworking-2

Darren 21 sept '15 at 10:25

source share

5 answers

Massimo polimeni · Answer 1 · 2015-09-25T09:07:28+0000

I had similar problems and in my case I decided to set the AFSSLPinningModeNone security policy and obviously allow invalid certificates.

Example in Obj-C:

 AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager]; AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeNone]; securityPolicy.allowInvalidCertificates = YES; manager.securityPolicy = securityPolicy; [manager POST:url parameters:nil success:^(AFHTTPRequestOperation *operation, id responseObject) { NSLog(@"Response: %@",responseObject); } failure:^(AFHTTPRequestOperation *operation, NSError *error) { NSLog(@"Error: %@", error); }];

Syed absar · Answer 2 · 2015-09-28T02:31:02+0000

From the Apple Documentation :

Default behavior
All connections using the NSURLConnection, CFURL, or NSURLSession APIs use the default behavior for the Transport Security application in applications built for iOS 9.0 or later, and OS X v10.11 or later. Connections that do not follow the requirements will fail. For more information on the various connection methods, see the NSURLConnection Class Reference, CFURL Reference, or NSURLSession Class Reference.
These are the application security requirements for applications:
The server must support at least Transport Layer Security (TLS) protocol version 1.2. Connection ciphers are limited to those that provide direct privacy (see the list of ciphers below.) Certificates must be signed using the SHA256 hash algorithm or higher, with a 2048-bit or large RSA key or 256-bit or large Elliptic Curve (ECC). Invalid certificates result in failure and lack of connection. These are the accepted ciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

You might want to update the security settings on your hardware to be compatible with the above and / or set NSExceptionMinimumTLSVersion to TLSv1.0

user3622576 · Answer 3 · 2015-10-01T09:05:31+0000

 AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeNone]; securityPolicy.allowInvalidCertificates = YES; manager.securityPolicy = securityPolicy;

Syed absar · Answer 4 · 2015-09-26T18:14:35+0000

In your subclass of AFHTTPRequestOperation, do the following:

 - (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace { if ([protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { return YES; } return [super connection:connection canAuthenticateAgainstProtectionSpace:protectionSpace]; } - (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge]; return; } return [super connection:connection didReceiveAuthenticationChallenge:challenge]; }

user3622576 · Answer 5 · 2015-10-01T09:00:39+0000

To allow an invalid SSL certificate with AFNetworking. Add the following line to AFURLConnectionOperation.h below #import Availability.h

define _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ 1

AFNetworking need to bypass ssl check

define _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ 1

More articles: