How to compare SSL certificates using AFNetworking

Question

In my iPhone app I\'m using an https connection with a self-signed SSL certificate to download sensible data (username and password) from a server.

Answer 1

To expand a bit on David's answer with respect to AFSSLPinningModePublicKey versus AFSSLPinningModeCertificate. Ideally, you would pin the public key and not the certificate. That's because some sites and services, like Google, rotate their certificates every 30 days or so. But they re-certify the same public key.

The certificates are rotated frequently to keep the size of the CRL small for mobile clients. But they re-certify the same public key (rather than creating a new one) to allow for key continuity testing.

Public key pinning is why tools like Certificate Patrol miss the mark. The certificate is expected to change; the public key is not.

Public key pinning is a lot like SSH's StrictHostKeyChecking, if you are familiar with it.

OWASP has a write-up on it too at Certificate and Public Key Pinning.