SSL Pinning with AFNetworking - validatesCertificateChain = true

Question

I'm trying to make a pinning SSL with AFNetworking 2.5.4 (with a Comodo Certificate). I grab my certificate (CER) from the server.

openssl s_client -connect example.com:443 -showcerts

Grab the output between the first -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and save it to example.pem

Convert from PEM to CER (DER):

openssl x509 -outform der -in example.pem -out example.cer

Then, i add example.cer to my Xcode project and i add it to the 'Copy Bundle Resources' Build Phase. My SecurityPolicy are:

let securityPolicy = AFSecurityPolicy(pinningMode: AFSSLPinningMode.PublicKey)
    let certificatePath = NSBundle.mainBundle().pathForResource("example", ofType: "cer")!
    let certificateData = NSData(contentsOfFile: certificatePath)!

    securityPolicy.pinnedCertificates = [certificateData];

    securityPolicy.validatesDomainName = true
    securityPolicy.allowInvalidCertificates = false
    securityPolicy.validatesCertificateChain = false

    manager.securityPolicy = securityPolicy

With this SSL Pininning works but I want not only validate the leaf certificate for that i change

securityPolicy.validatesCertificateChain = true

But with that configuration throws me the following error:

Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)

I have read if securityPolicy.validatesCertificateChain = true i must enter the entire SSL certificate chain but I do not know how to generate it.

I tried with following code but not work (i get the same error):

openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -outform DER > example.cer

How do I get the entire SSL certificate chain for add to Xcode?

Answer 1

您还必须将所有中间CA证书添加到securityPolicy.pinnedCertificates以验证整个链。