From 9ba48388628df9ac8ebe6cdd5475a0179cf908b2 Mon Sep 17 00:00:00 2001 From: Kevin Harwood Date: Wed, 30 Jan 2013 10:26:01 -0600 Subject: [PATCH 1/7] Added in a property to handle invalid SSL certs --- AFNetworking/AFURLConnectionOperation.h | 5 +++++ AFNetworking/AFURLConnectionOperation.m | 22 +++++++++++++++------- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/AFNetworking/AFURLConnectionOperation.h b/AFNetworking/AFURLConnectionOperation.h index ff4130d..c580840 100644 --- a/AFNetworking/AFURLConnectionOperation.h +++ b/AFNetworking/AFURLConnectionOperation.h @@ -105,6 +105,11 @@ */ @property (readonly, nonatomic, strong) NSError *error; +/** + The flag to determine if the connection should accept an invalid SSL certificate. If `_AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_` is set, this property defaults to YES. Otherwise, this property defaults to NO. + */ +@property (nonatomic,assign) BOOL allowInvalidSSLCertificate; + ///---------------------------- /// @name Getting Response Data ///---------------------------- diff --git a/AFNetworking/AFURLConnectionOperation.m b/AFNetworking/AFURLConnectionOperation.m index 122ec36..99e1693 100644 --- a/AFNetworking/AFURLConnectionOperation.m +++ b/AFNetworking/AFURLConnectionOperation.m @@ -212,6 +212,11 @@ static inline BOOL AFStateTransitionIsValid(AFOperationState fromState, AFOperat self.outputStream = [NSOutputStream outputStreamToMemory]; self.state = AFOperationReadyState; + + //This ifdef has been added for backwards compatibility purposes +#ifdef _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ + self.allowInvalidSSLCertificate = YES; +#endif return self; } @@ -521,11 +526,10 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe - (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace { -#ifdef _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ - if ([protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { - return YES; + if(self.allowInvalidSSLCertificate && + [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { + return YES; } -#endif if (self.authenticationAgainstProtectionSpace) { return self.authenticationAgainstProtectionSpace(connection, protectionSpace); @@ -539,12 +543,13 @@ canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace - (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { -#ifdef _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ - if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { + + if(self.allowInvalidSSLCertificate + && [challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge]; return; } -#endif + if (self.authenticationChallenge) { self.authenticationChallenge(connection, challenge); @@ -692,6 +697,7 @@ didReceiveResponse:(NSURLResponse *)response self.error = [aDecoder decodeObjectForKey:@"error"]; self.responseData = [aDecoder decodeObjectForKey:@"responseData"]; self.totalBytesRead = [[aDecoder decodeObjectForKey:@"totalBytesRead"] longLongValue]; + self.allowInvalidSSLCertificate = [[aDecoder decodeObjectForKey:@"allowInvalidSSLCertificate"] boolValue]; return self; } @@ -716,6 +722,7 @@ didReceiveResponse:(NSURLResponse *)response [aCoder encodeObject:self.error forKey:@"error"]; [aCoder encodeObject:self.responseData forKey:@"responseData"]; [aCoder encodeObject:[NSNumber numberWithLongLong:self.totalBytesRead] forKey:@"totalBytesRead"]; + [aCoder encodeObject:[NSNumber numberWithBool:self.allowInvalidSSLCertificate] forKey:@"allowInvalidSSLCertificate"]; } #pragma mark - NSCopying @@ -729,6 +736,7 @@ didReceiveResponse:(NSURLResponse *)response operation.authenticationChallenge = self.authenticationChallenge; operation.cacheResponse = self.cacheResponse; operation.redirectResponse = self.redirectResponse; + operation.allowInvalidSSLCertificate = self.allowInvalidSSLCertificate; return operation; } From 48558d7b48ae3a2412014200e4f3bcee96fddec9 Mon Sep 17 00:00:00 2001 From: Kevin Harwood Date: Mon, 25 Mar 2013 17:15:43 -0500 Subject: [PATCH 2/7] Removed invalid SSL macro from new 1.2.0 code --- AFNetworking/AFURLConnectionOperation.m | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/AFNetworking/AFURLConnectionOperation.m b/AFNetworking/AFURLConnectionOperation.m index ca9780c..9b59381 100644 --- a/AFNetworking/AFURLConnectionOperation.m +++ b/AFNetworking/AFURLConnectionOperation.m @@ -581,21 +581,22 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe break; } case AFSSLPinningModeNone: { -#ifdef _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ - NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; - [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; -#else - SecTrustResultType result = 0; - OSStatus status = SecTrustEvaluate(serverTrust, &result); - NSAssert(status == noErr, @"SecTrustEvaluate error: %ld", (long int)status); - - if (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed) { + if(self.allowInvalidSSLCertificate == YES){ NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; - } else { - [[challenge sender] cancelAuthenticationChallenge:challenge]; } -#endif + else { + SecTrustResultType result = 0; + OSStatus status = SecTrustEvaluate(serverTrust, &result); + NSAssert(status == noErr, @"SecTrustEvaluate error: %ld", (long int)status); + + if (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed) { + NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; + [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; + } else { + [[challenge sender] cancelAuthenticationChallenge:challenge]; + } + } break; } } From a150b95f095db21376f4e2e4c166f4495c5d6ffc Mon Sep 17 00:00:00 2001 From: Kevin Harwood Date: Mon, 25 Mar 2013 17:18:12 -0500 Subject: [PATCH 3/7] Updated documentation --- AFNetworking/AFURLConnectionOperation.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/AFNetworking/AFURLConnectionOperation.h b/AFNetworking/AFURLConnectionOperation.h index 42c74d4..eb219b5 100644 --- a/AFNetworking/AFURLConnectionOperation.h +++ b/AFNetworking/AFURLConnectionOperation.h @@ -128,7 +128,7 @@ NSCoding, NSCopying> @property (readonly, nonatomic, strong) NSError *error; /** - The flag to determine if the connection should accept an invalid SSL certificate. If `_AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_` is set, this property defaults to YES. Otherwise, this property defaults to NO. + The flag to determine if the connection should accept an invalid SSL certificate. If `_AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_` is set, this property defaults to YES for backwards compatibility support. Otherwise, this property defaults to NO. */ @property (nonatomic,assign) BOOL allowInvalidSSLCertificate; @@ -285,7 +285,7 @@ NSCoding, NSCopying> @param block A block object to be executed to determine whether the connection should be able to respond to a protection space's form of authentication. The block has a `BOOL` return type and takes two arguments: the URL connection object, and the protection space to authenticate against. - @discussion If `_AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_` is defined, `connection:canAuthenticateAgainstProtectionSpace:` will accept invalid SSL certificates, returning `YES` if the protection space authentication method is `NSURLAuthenticationMethodServerTrust`. + @discussion If `allowInvalidSSLCertificate` is set to YES, `connection:canAuthenticateAgainstProtectionSpace:` will accept invalid SSL certificates, returning `YES` if the protection space authentication method is `NSURLAuthenticationMethodServerTrust`. */ - (void)setAuthenticationAgainstProtectionSpaceBlock:(BOOL (^)(NSURLConnection *connection, NSURLProtectionSpace *protectionSpace))block; @@ -294,7 +294,7 @@ NSCoding, NSCopying> @param block A block object to be executed when the connection must authenticate a challenge in order to download its request. The block has no return type and takes two arguments: the URL connection object, and the challenge that must be authenticated. - @discussion If `_AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_` is defined, `connection:didReceiveAuthenticationChallenge:` will attempt to have the challenge sender use credentials with invalid SSL certificates. + @discussion If `allowInvalidSSLCertificate` is set to YES, `connection:didReceiveAuthenticationChallenge:` will attempt to have the challenge sender use credentials with invalid SSL certificates. */ - (void)setAuthenticationChallengeBlock:(void (^)(NSURLConnection *connection, NSURLAuthenticationChallenge *challenge))block; From f64ce9143de762a09a5c2e03f232b4975a38d16d Mon Sep 17 00:00:00 2001 From: Kevin Harwood Date: Mon, 25 Mar 2013 17:21:56 -0500 Subject: [PATCH 4/7] Added invalidSSL flag to AFHTTPClient --- AFNetworking/AFHTTPClient.h | 5 +++++ AFNetworking/AFHTTPClient.m | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/AFNetworking/AFHTTPClient.h b/AFNetworking/AFHTTPClient.h index 5551f5d..90694f5 100644 --- a/AFNetworking/AFHTTPClient.h +++ b/AFNetworking/AFHTTPClient.h @@ -145,6 +145,11 @@ typedef enum { @property (nonatomic, assign) AFURLConnectionOperationSSLPinningMode defaultSSLPinningMode; #endif +/** + The flag to determine if each `AFHTTPRequestOperation` that will be enqueued with `enqueueHTTPRequestOperation:` should accept an invalid SSL certificate. If `_AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_` is set, this property defaults to YES for backwards compatibility support. Otherwise, this property defaults to NO. + */ +@property (nonatomic,assign) BOOL allowInvalidSSLCertificate; + ///--------------------------------------------- /// @name Creating and Initializing HTTP Clients ///--------------------------------------------- diff --git a/AFNetworking/AFHTTPClient.m b/AFNetworking/AFHTTPClient.m index bd0cab2..9c3cd3c 100644 --- a/AFNetworking/AFHTTPClient.m +++ b/AFNetworking/AFHTTPClient.m @@ -263,6 +263,11 @@ NSArray * AFQueryStringPairsFromKeyAndValue(NSString *key, id value) { self.operationQueue = [[NSOperationQueue alloc] init]; [self.operationQueue setMaxConcurrentOperationCount:NSOperationQueueDefaultMaxConcurrentOperationCount]; + //This ifdef has been added for backwards compatibility purposes +#ifdef _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ + self.allowInvalidSSLCertificate = YES; +#endif + return self; } From 22f5153bb8a8fdd9cc0254150c3d60a1d136da27 Mon Sep 17 00:00:00 2001 From: Kevin Harwood Date: Mon, 25 Mar 2013 17:26:28 -0500 Subject: [PATCH 5/7] Set the operation flag in HTTPRequestOperationWithRequest --- AFNetworking/AFHTTPClient.h | 2 +- AFNetworking/AFHTTPClient.m | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/AFNetworking/AFHTTPClient.h b/AFNetworking/AFHTTPClient.h index 90694f5..8e1a67b 100644 --- a/AFNetworking/AFHTTPClient.h +++ b/AFNetworking/AFHTTPClient.h @@ -146,7 +146,7 @@ typedef enum { #endif /** - The flag to determine if each `AFHTTPRequestOperation` that will be enqueued with `enqueueHTTPRequestOperation:` should accept an invalid SSL certificate. If `_AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_` is set, this property defaults to YES for backwards compatibility support. Otherwise, this property defaults to NO. + The flag to determine if each `AFHTTPRequestOperation` is created in `HTTPRequestOperationWithRequest` should accept an invalid SSL certificate. If `_AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_` is set, this property defaults to YES for backwards compatibility support. Otherwise, this property defaults to NO. */ @property (nonatomic,assign) BOOL allowInvalidSSLCertificate; diff --git a/AFNetworking/AFHTTPClient.m b/AFNetworking/AFHTTPClient.m index 9c3cd3c..8ecf643 100644 --- a/AFNetworking/AFHTTPClient.m +++ b/AFNetworking/AFHTTPClient.m @@ -541,6 +541,7 @@ static void AFNetworkReachabilityReleaseCallback(const void *info) { #ifdef _AFNETWORKING_PIN_SSL_CERTIFICATES_ operation.SSLPinningMode = self.defaultSSLPinningMode; #endif + operation.allowInvalidSSLCertificate = self.allowInvalidSSLCertificate; return operation; } From 8e5dac8d42638e8930054cbfd97f5d6f7a14f01b Mon Sep 17 00:00:00 2001 From: Kevin Harwood Date: Mon, 25 Mar 2013 17:28:28 -0500 Subject: [PATCH 6/7] Documentation update --- AFNetworking/AFHTTPClient.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AFNetworking/AFHTTPClient.h b/AFNetworking/AFHTTPClient.h index 8e1a67b..17b3004 100644 --- a/AFNetworking/AFHTTPClient.h +++ b/AFNetworking/AFHTTPClient.h @@ -146,7 +146,7 @@ typedef enum { #endif /** - The flag to determine if each `AFHTTPRequestOperation` is created in `HTTPRequestOperationWithRequest` should accept an invalid SSL certificate. If `_AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_` is set, this property defaults to YES for backwards compatibility support. Otherwise, this property defaults to NO. + The flag to determine if each `AFHTTPRequestOperation` that is created in `HTTPRequestOperationWithRequest` should accept an invalid SSL certificate. If `_AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_` is set, this property defaults to YES for backwards compatibility support. Otherwise, this property defaults to NO. */ @property (nonatomic,assign) BOOL allowInvalidSSLCertificate; From fa9fa6e0d459ec1d4d149010ab1b92df9066c3ee Mon Sep 17 00:00:00 2001 From: Kevin Harwood Date: Tue, 9 Apr 2013 08:47:26 -0500 Subject: [PATCH 7/7] Fixed if/else logic --- AFNetworking/AFURLConnectionOperation.m | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/AFNetworking/AFURLConnectionOperation.m b/AFNetworking/AFURLConnectionOperation.m index 5e9d679..3f4df02 100644 --- a/AFNetworking/AFURLConnectionOperation.m +++ b/AFNetworking/AFURLConnectionOperation.m @@ -614,13 +614,11 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe if(self.allowInvalidSSLCertificate == YES){ NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; - } else { - [[challenge sender] cancelAuthenticationChallenge:challenge]; } else { SecTrustResultType result = 0; OSStatus status = SecTrustEvaluate(serverTrust, &result); - NSAssert(status == noErr, @"SecTrustEvaluate error: %ld", (long int)status); + NSAssert(status == errSecSuccess, @"SecTrustEvaluate error: %ld", (long int)status); if (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed) { NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];