`AFHTTPSessionManager` now throws exception if SSL pinning mode is set for non https sessions by 0xced · Pull Request #3687 · AFNetworking/AFNetworking
approved these changes Sep 19, 2016
0xced
mentioned this pull request
…URLs ### Before this commit Setting a security policy configured with `AFSSLPinningModeCertificate` or `AFSSLPinningModePublicKey` on a AFHTTPSessionManager instance configured with an insecure `http` base URL was valid. Requests made with this manager would always succeed since the `-[AFURLSessionManager URLSession:didReceiveChallenge:completionHandler:]` would never be called and thus the security policy would never be evaluated. ### After this commit Setting a security policy configured with `AFSSLPinningModeCertificate` or `AFSSLPinningModePublicKey` on a AFHTTPSessionManager instance configured with an insecure `http` base URL will throw an exception. This will force the manager to be configured with a secure `https` URL. Note that properly configuring App Transport Security (ATS) would also solve this issue since insecure connections would fail anyway, but this is a *belt and suspenders* solution.
kcharwood
changed the title
Make it impossible to set a security policy with pinning on insecure URLs
AFHTTPSessionManager now throws exception if SSL pinning mode is set for non https sessions
kcharwood
changed the title
AFHTTPSessionManager now throws exception if SSL pinning mode is set for non https sessions
AFHTTPSessionManager now throws exception if SSL pinning mode is set for non https sessions
0xced
deleted the
invalid-security-policy
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters