Search code examples
swiftalamofirealamofire-requestsslpinning

Why is ssl pinning not working on synchronous requests?

I want to do ssl pinning with Alamofire library, but it doesn't work for sync requests.

I am using the following library to sync Alamofire request: https://github.com/Dalodd/Alamofire-Synchronous In async call I get cancaled with code -999 but when I try with sync I get all responses with 200. My code is like this:

    let hostname = "..."
    let cert = "..." // e.g. for cert.der, this should just be "cert"
    let pathToCert = Bundle.main.path(forResource: cert, ofType: "der")
    let localCertificate = NSData(contentsOfFile: pathToCert!)
    let certificates = [SecCertificateCreateWithData(nil,
    localCertificate!)!]
    // Configure the trust policy manager
    let serverTrustPolicy = ServerTrustPolicy.pinCertificates(
    certificates: certificates,
    validateCertificateChain: true,
    validateHost: true
    )
    let serverTrustPolicies = [hostname: serverTrustPolicy]
    let serverTrustPolicyManager = ServerTrustPolicyManager(policies:
    serverTrustPolicies)
    // Configure session manager with trust policy
    let defaultManager = Alamofire.SessionManager(
      configuration: URLSessionConfiguration.default,
      serverTrustPolicyManager: serverTrustPolicyManager
    )
    let manager = defaultManager
    manager.session.configuration.timeoutIntervalForRequest = 120
    let request = getRequest(object, endPoint: endPoint)
    let response = manager.request(request).responseString()

If I don't use semaphore in the code below the request is aborted but if I use it I get 200 responses

    public func response<T: DataResponseSerializerProtocol>(responseSerializer: T) -> 
    DataResponse<T.SerializedObject> {
    
    let semaphore = DispatchSemaphore(value: 0)
    var result: DataResponse<T.SerializedObject>!
    
    self.response(queue: DispatchQueue.global(qos: .default), responseSerializer: responseSerializer) { response in
        
        result = response
        semaphore.signal()
        
    }
    
    _ = semaphore.wait(timeout: DispatchTime.distantFuture)
    
    return result
}

How is this possible?

Solution

  • Using Alamofire synchronously is not supported so any misbehaviors you see when doing this are unlikely to be fixed.

    Additionally, that dependency is using Alamofire 4, where 5 is the latest version, so if you really want the behavior I suggest implementing it manually using the latest version.