Search code examples
swiftsslcaswift-nio

TLS CA certificate SSL Pinning using SWIFT-NIO-SSL


I have been trying to use SWIFT-NIO-SSL, to connect to server using the CA certificate and Server certificate.

After numeral attempts, and trying out different approaches, I could not get a solution. Is there any tutorial or any help in connecting to TLS using ca certificate with swift-nio-ssl would be helpful.


Solution

  • I'm not 100% sure if that's what you're asking but are you trying to connect to a server using a custom CA, you probably want the following TLSConfiguraion:

    var tlsConfiguration = TLSConfiguration.forClient()
    tlsConfiguration.trustRoots = .file("/tmp/the-ca.pem") // the CA
    

    If you want to verify the certificate chain the the server provides, you should use NIOSSLClientHandler(context:serverHostname:customVerificationCallback:) when creating the NIOSSLClientHandler that you put in your pipeline. The last argument is a NIOSSLCustomVerificationCallbackack which allows completely overriding the certificate verification logic of BoringSSL, it gets presented the whole certificate chain the remote peer provided.

    (Just in case you don't use NIO directly but through another library such as Vapor or AsyncHTTPClient, the above doesn't necessarily make any sense because you don't add the NIOSSLClientHandler yourself.)

    At this point, just using a TLSConfiguration does not allow you to implement certificate pinning. You could in theory implement it using the NIOSSLCustomVerificationCallbackack but in practise this may be hard depending on how exactly you're planning to pin.

    If you provide some more detail what exactly you want to achieve, I'm happy to expand a bit on this.