This repository has been archived by the owner on Jan 17, 2023. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixing failing test testNoPinningIsEnforcedForHTTPBinOrgIfNoCertifica…
…teIsPinned
- Loading branch information
104ce04
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Mattt,
This fix will cause 'allowInvalidCertificates' parameter to be ignored, and return true for both valid and invalid serverTrusts whatever 'allowInvalidCertificates' is.
Since 'AFSSLPinningModeNone' is the default mode, this will cause serious security issue, for it will let all invalid serverTrusts pass the test by default. I don't think this is what developers expect.
104ce04
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vagase good job on noticing this! 👍
http://blog.mindedsecurity.com/2015/03/ssl-mitm-attack-in-afnetworking-251-do.html