:wave: Am I reading this right that I cannot pin t...
# ktorn
Nikolay Kasyanov
04/19/2021, 8:52 AM👋 Am I reading this right that I cannot pin to just root certificate, I have to pin to the whole chain in ktor?
https://github.com/ktorio/ktor/blob/main/ktor-client/ktor-client-ios/darwin/src/io/ktor/client/engine/ios/certificates/CertificatePinner.kt
y
yschimke
04/19/2021, 5:35 PMNo.
Copy code
* If multiple patterns match a hostname, any match is sufficient. For example, suppose pin A
* applies to `*.<http://publicobject.com|publicobject.com>` and pin B applies to `<http://api.publicobject.com|api.publicobject.com>`. Handshakes for
* `<http://api.publicobject.com|api.publicobject.com>` are valid if either A's or B's certificate is in the chain.yschimke
04/19/2021, 5:36 PMAlso some good advice on Certificate pinning https://developer.android.com/training/articles/security-ssl#Pinning
n
Nikolay Kasyanov
04/20/2021, 4:41 PMNikolay Kasyanov
04/20/2021, 4:49 PMbut only in 1.5.2 onwards: https://github.com/ktorio/ktor/pull/2302
Nikolay Kasyanov
04/20/2021, 4:49 PMIn < 1.5.2 the whole chain has to match
y
yschimke
04/20/2021, 5:06 PMOuch. That is terrible
yschimke
04/20/2021, 5:08 PMI have concerns on framework code either having promoted opinions on how or whether to pin. I wish for a world where security team makes own educated decisions.
2 Views