crl

In addition to TLS Pinning, you can also enforce that the certificate in use has not been revoked by checking the CRL or OCSP result for said certificate. To do this for NSURLSession, you need to add an additional SecPolicyRef to the SecTrustRef provided to you during the authentication challenge. The new policy needs to be created via SecPolicyCreateRevocation and can be tweaked depending on how strict you want to be....