Modify the SSL Pinning logic to support conncheck as well

mullvad · Aug 27, 2024 · 8ff7f7c · 8ff7f7c
1 parent 5dc31e7
commit 8ff7f7c
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 7 deletions.
diff --git a/ios/MullvadREST/ApiHandlers/SSLPinningURLSessionDelegate.swift b/ios/MullvadREST/ApiHandlers/SSLPinningURLSessionDelegate.swift
@@ -8,6 +8,7 @@
 
 import Foundation
 import MullvadLogging
+import Network
 import Security
 
 final class SSLPinningURLSessionDelegate: NSObject, URLSessionDelegate {
@@ -29,17 +30,32 @@ final class SSLPinningURLSessionDelegate: NSObject, URLSessionDelegate {
         completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
     ) {
         if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust,
-           let serverTrust = challenge.protectionSpace.serverTrust,
-           verifyServerTrust(serverTrust) {
-            completionHandler(.useCredential, URLCredential(trust: serverTrust))
-        } else {
-            completionHandler(.rejectProtectionSpace, nil)
+           let serverTrust = challenge.protectionSpace.serverTrust {
+            /// If a request is going through a local shadowsocks proxy, the host would be a localhost address,`
+            /// which would not appear in the list of valid host names in the root certificate.
+            /// The same goes for direct connections to the API, the host would be the IP address of the endpoint.
+            /// Certificates, cannot be signed for IP addresses, in such case, specify that the host name is `defaultAPIHostname`
+            var hostName = challenge.protectionSpace.host
+            let overridenHostnames = [
+                "\(IPv4Address.loopback)",
+                "\(IPv6Address.loopback)",
+                "\(REST.defaultAPIEndpoint.ip)",
+            ]
+            if overridenHostnames.contains(hostName) {
+                hostName = sslHostname
+            }
+
+            if verifyServerTrust(serverTrust, for: hostName) {
+                completionHandler(.useCredential, URLCredential(trust: serverTrust))
+                return
+            }
         }
+        completionHandler(.rejectProtectionSpace, nil)
     }
 
     // MARK: - Private
 
-    private func verifyServerTrust(_ serverTrust: SecTrust) -> Bool {
+    private func verifyServerTrust(_ serverTrust: SecTrust, for sslHostname: String) -> Bool {
         var secResult: OSStatus
 
         // Set SSL policy

diff --git a/ios/MullvadVPN/SceneDelegate.swift b/ios/MullvadVPN/SceneDelegate.swift
@@ -74,7 +74,7 @@ class SceneDelegate: UIResponder, UIWindowSceneDelegate, SettingsMigrationUIHand
             accountsProxy: appDelegate.accountsProxy,
             outgoingConnectionService: OutgoingConnectionService(
                 outgoingConnectionProxy: OutgoingConnectionProxy(
-                    urlSession: URLSession(configuration: .ephemeral),
+                    urlSession: REST.makeURLSession(),
                     hostname: ApplicationConfiguration.hostName
                 )
             ),