https://kotlinlang.org logo
#ktor
Title
# ktor
n

Nikolay Kasyanov

04/19/2021, 8:52 AM
👋 Am I reading this right that I cannot pin to just root certificate, I have to pin to the whole chain in ktor? https://github.com/ktorio/ktor/blob/main/ktor-client/ktor-client-ios/darwin/src/io/ktor/client/engine/ios/certificates/CertificatePinner.kt
y

yschimke

04/19/2021, 5:35 PM
No.
Copy code
* If multiple patterns match a hostname, any match is sufficient. For example, suppose pin A
 * applies to `*.<http://publicobject.com|publicobject.com>` and pin B applies to `<http://api.publicobject.com|api.publicobject.com>`. Handshakes for
 * `<http://api.publicobject.com|api.publicobject.com>` are valid if either A's or B's certificate is in the chain.
but only in 1.5.2 onwards: https://github.com/ktorio/ktor/pull/2302
In < 1.5.2 the whole chain has to match
y

yschimke

04/20/2021, 5:06 PM
Ouch. That is terrible
I have concerns on framework code either having promoted opinions on how or whether to pin. I wish for a world where security team makes own educated decisions.
2 Views