Skip to content
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.

AFHTTPSessionManager now throws exception if SSL pinning mode is set for non https sessions #3687

Merged
merged 1 commit into from
Oct 6, 2016
Merged

AFHTTPSessionManager now throws exception if SSL pinning mode is set for non https sessions #3687

merged 1 commit into from
Oct 6, 2016

Commits on Oct 5, 2016

  1. Make it impossible to set a security policy with pinning on insecure … 

    …URLs

### Before this commit
Setting a security policy configured with `AFSSLPinningModeCertificate` or `AFSSLPinningModePublicKey` on a AFHTTPSessionManager instance configured with an insecure `http` base URL was valid. Requests made with this manager would always succeed since the `-[AFURLSessionManager URLSession:didReceiveChallenge:completionHandler:]` would never be called and thus the security policy would never be evaluated.

### After this commit
Setting a security policy configured with `AFSSLPinningModeCertificate` or `AFSSLPinningModePublicKey` on a AFHTTPSessionManager instance configured with an insecure `http` base URL will throw an exception. This will force the manager to be configured with a secure `https` URL.

Note that properly configuring App Transport Security (ATS) would also solve this issue since insecure connections would fail anyway, but this is a *belt and suspenders* solution.
    @0xced
    0xced committed Oct 5, 2016
    Configuration menu
    Copy the full SHA
    f9ed2d2 View commit details
    Browse the repository at this point in the history