We use DigiCert as our certification authority. We made a .cer file with the following command:
openssl x509 -in WEBSITE.crt -outform der -out WEBSITE.cer
which MUST work, but the problem is that not only this work will work, but any file that we put in the code will work. We even tested empty .cer files, and that works too. By work, I mean that we can make a mail request to the server no matter what file .cer is using. Obviously, we would like it to fail if something other than our signed certificate is used.
Our origin is set in Cloudflare, which is then sent to the Amazon balancer on which our certificates are installed.
I use Charles Proxy for MITM myself, and I can do this with or without a certificate in an iOS app.
We use the latest version of AFNetworking to generate the SSL pin. I subclassed AFHTTPRequestOperationManager and added the following method:
+ (AFSecurityPolicy*) siteSecurityPolicy { NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"WEBSITE" ofType:@"cer"]; NSData *certData = [NSData dataWithContentsOfFile:cerPath]; AFSecurityPolicy *securityPolicy = [[AFSecurityPolicy alloc] init]; [securityPolicy setAllowInvalidCertificates:NO]; [securityPolicy setPinnedCertificates:@[certData]]; [securityPolicy setSSLPinningMode:AFSSLPinningModeCertificate]; return securityPolicy; }
My code for creating a message is as follows:
websiteRequestOperationManager *manager = [websiteRequestOperationManager manager]; /**** SSL Pinning ****/ [manager setSecurityPolicy:[websiteRequestOperationManager siteSecurityPolicy]]; /**** SSL Pinning ****/ [manager GET:WEBSITE_URL parameters:params success:^(AFHTTPRequestOperation *operation, NSDictionary* responseObject) { //code } failure:^(AFHTTPRequestOperation *operation, NSError *error) { //code }];
What critical step did we miss?
I should also mention that I am NSLog'd:
[manager.securityPolicy.pinnedCertificates count]
and got 1.