I was reading this on Australian CocoaHeads and thought it might be a neat feature for BBHTTP:

Hi Gordon,

If you are using the AFNetworking library for communicating with your
web services, then you get the functionality to check for invalid
certificates out of the box, unless you #define
AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES. Furthermore,
AFNetworking also has built in support for "certificate pinning" (see
Loukas' email). You can enable this by #define
AFNETWORKING_PIN_SSL_CERTIFICATES 1.

Hope this helps as well.

Regards,
Sadat

Invalid SSL certificates are supported (at the request level) via the allowInvalidSSLCertificates property.

I'm not familiar with "certificate pinning", could you elaborate a bit on that?

I've asked Sadat to describe it for us - will update when he responds. . .

Any update on this?

Here's what pinning is about:

Implementations of pinning can differ, but in general it means restricting or bypassing the default chain of trust.

i.e., in the iOS case, rather than accepting a certificate based on whether it's issued by a trusted authority with a root certificate that ships (or has been manually installed) on iOS, verify the cert. by checking very specific information in the certificate.

I believe AFNetworking's pinning feature works by bundling a *.cer file containing the public key of the certificate issued by your trusted signing authority, and rejecting certificates that don't include that precise public key.

Companies like Square use certificate pinning; it's a good idea.

Let's close this. I think all that is required for most folks is a config turning on the ability to accept self-signed.