wave Am I reading this right that I cannot pin to just root kotlinlang #ktor

Channels

fluid-libraries

jhipster-kotlin

effectivekotlin

effective-kotlin

android-architecture

algolialibraries

stayhungrystayfoolish

pattern-matching

kotlin-data-storage

skia-wasm-interop-temp

squarelibraries

beepiz-libraries

cscenter-course-2016

kotlin-foundation

compose-android

lambdaworld_cadiz

kotlin-pakistan

java-to-kotlin-refactoring

event21-community-content

fb-internal-demo

kotlinprogrammers

kotlinx-datetime

framework-elide

github-workflows-kt

library-development

arrow-contributors

spring-security

pocketgitclient

domain-driven-design

swiss-user-group

refactoring-to-kotlin

ohio-kotlin-users

introduce-yourself

kotlin-by-example

kotlin-multiplatform-contest

graviton-browser

tricity-kotlin-user-group

kotlin-in-action

android-databinding

kotlintest-devs

cincinnati-user-group

codemash-precompiler

kotlingforbeginners

prozis-android-backup

realworldkotlin

connect-audit-events

russian-kotlinasfirst

androidgithubprojects

intellij-tricks

machinelearningbawas

swagger-gradle-codegen

100daysofkotlin

competitive-programming

compose-ui-showcase

androidx-xprocessing

navigation-architecture-component

strife-discord-lib

embedded-kotlin

image-processing

myndocs-oauth2-server

leedskotlinusergroup

kotest-contributors

practical-functional-programming

kotlinultimatechallenge

k2-early-adopters

kotlinforbeginners

compose-desktop

competitivecoding

100daysofkotlin-2021

refreshversions

language-evolution

jvm-ir-backend-feedback

python-contributors

codingconventions

sofl-user-group

getting-started

language-proposals

intellij-plugins

Title

# ktor

n

Nikolay Kasyanov

04/19/2021, 8:52 AM

👋 Am I reading this right that I cannot pin to just root certificate, I have to pin to the whole chain in ktor? https://github.com/ktorio/ktor/blob/main/ktor-client/ktor-client-ios/darwin/src/io/ktor/client/engine/ios/certificates/CertificatePinner.kt

y

yschimke

04/19/2021, 5:35 PM

No.

Copy code

* If multiple patterns match a hostname, any match is sufficient. For example, suppose pin A
 * applies to `*.<http://publicobject.com|publicobject.com>` and pin B applies to `<http://api.publicobject.com|api.publicobject.com>`. Handshakes for
 * `<http://api.publicobject.com|api.publicobject.com>` are valid if either A's or B's certificate is in the chain.

Also some good advice on Certificate pinning https://developer.android.com/training/articles/security-ssl#Pinning

n

Nikolay Kasyanov

04/20/2021, 4:41 PM

@yschimke thank you! Also in code: https://github.com/ktorio/ktor/blob/40a055bcef7ad21ca0923607cb1ab45ccb638de2/ktor-client/ktor-client-ios/darwin/src/io/ktor/client/engine/ios/certificates/CertificatePinner.kt#L184

but only in 1.5.2 onwards: https://github.com/ktorio/ktor/pull/2302

In < 1.5.2 the whole chain has to match

y

yschimke

04/20/2021, 5:06 PM

Ouch. That is terrible

I have concerns on framework code either having promoted opinions on how or whether to pin. I wish for a world where security team makes own educated decisions.

2 Views