Skip to content
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.

Reverted NSURLSessionAuthChallengeDisposition to NSURLSessionAuthChallengeCancelAuthenticationChallenge for SSL Pinning #3417

Merged
merged 2 commits into from Mar 31, 2016
Merged

Reverted NSURLSessionAuthChallengeDisposition to NSURLSessionAuthChallengeCancelAuthenticationChallenge for SSL Pinning #3417

merged 2 commits into from Mar 31, 2016

Conversation

kcharwood
Copy link
Contributor

As first discussed in #3409, there appear to be cases where returning NSURLSessionAuthChallengeRejectProtectionSpace does not prevent the request from succeeding in some cases.

A few of us have starting to dig in on this issue. @0xced has seen behavior where the existing code does work in some cases, leading us to believe there may be some issues here related to the TLS cache under the hood that we do not control. However, using Cancel instead does give us deterministic control.

The original intent of moving to RejectProtectionSpace was to provide a better error message to the developer to distinguish between a manual cancel and an SSL pinning failure.

I've created a simple playground demonstrating the issue:

NSURLSessionAuthChallenge.playground.zip

This PR reverts to using cancel, and adds an additional test for Public Key Pinning error validation.

Note that if you have code specifically looking for NSURLErrorServerCertificateUntrusted, you should fall back to use NSURLErrorCancelled

@kcharwood
Added test demonstrating failure for PK
8a99f2d
@kcharwood
Reverted NSURLSession Challenge Disposition to be `NSURLSessionAuthCh…
280baf5 
…allengeCancelAuthenticationChallenge` to allow for more determistic pinning results.

- Updated test suite to check for new error code
@kcharwood kcharwood added this to the 3.1.0 milestone Mar 31, 2016
@kcharwood kcharwood mentioned this pull request Mar 31, 2016
Closed
@codecov-io
Copy link

Current coverage is 76.07%

Merging #3417 into master will decrease coverage by -0.40% as of 89570aa

@@            master   #3417   diff @@
======================================
  Files            5       5       
  Stmts         2491    2491       
  Branches         0       0       
  Methods                          
======================================
- Hit           1905    1895    -10
  Partial          0       0       
- Missed         586     596    +10

Review entire Coverage Diff as of 89570aa

Powered by Codecov. Updated on successful CI builds.

@cnoon
Copy link
Member

cnoon commented Mar 31, 2016

This all looks good to me @kcharwood. 👍🏼

Would it also be wise to put the Apple Forums link in this PR as well for reference?

@kcharwood
Copy link
Contributor Author

Thanks @cnoon

Here is a link to a Dev Forum I have opened:

https://forums.developer.apple.com/message/128153#128153

@kcharwood kcharwood merged commit f169be4 into master Mar 31, 2016
@kcharwood kcharwood deleted the bug/ssl_pinning_disposition branch March 31, 2016 17:47
@jshier jshier mentioned this pull request Dec 14, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
changed security WWDC Followup
Projects
None yet
Milestone
3.1.0
3 participants
@kcharwood @codecov-io @cnoon