Support for SSL Certificate Pinning

[mrrobby]

Allowing for some SSL cert pinning in the Delivery APIs could help tighten security.

As of AFNetworking 2.6.0, the AFSecurityPolicy has been refined to remove entire chain validation, replaced with the recommendation to pin to the root CA or an intermediate cert. iOS 9 has made some updates in this direction too. Now that it has been sorted, for versions using AFNetworking 2.6 and above, exposing an optional setting in the Contentful Delivery API for pinning could be helpful to increase security by providing more granular control of it. The issues and updates made are covered at great length in AFNetworking #2744, noting that the whole chain validation is not best practice and is completely removed.

As an example, Contentful could control which part of the chain we should pin to based on a company decision (i.e. Root CA if the cert changes all the time or an intermediate cert if that would be applicable) and include that in the bundle and internal settings, the expose a BOOL toggle.

In a quick glance of the contenful.objc, this could possibly be exposed through CDAConfiguration, to correspond with the options to use the MUContentfulPreviewServer and disable pinning (i.e. to allow proxy on DEBUG builds) or the MUContentfulLiveServer and enable pinning for production.

Would there be any concerns with this?

[loudmouth]

Hi @mrrobby, support for AF-Networking 3 has officially been merged into master (not yet published; but usable), but I have not yet addressed your concern.

I hope to attend to it in the coming week.

[axello]

Any status updates on certificate pinning in contentful? Is it, for example, possible to retrieve the intermediate certificates used by contentful to implement it ourselves. Although in my opinion it needs to be part of the contentful SDK.