stackoom
  简体   繁体   中英

Android - Certificate Pinning with Retrofit 2.3 and OkHTTP

 原文  2017-08-11 11:55:02       android/ retrofit2/ okhttp3/ certificate-pinning

Question

Hello dear developers,

I have the following Problem:

I´m using Certificate Pinning successfully since a few months now, with OkHTTP 3.6 and Retrofit 1.9.0.

Recently I updated the used Retrofit version to 2.3.0 and with this started using OkHttp 3.8. Since the updates the Certificate Pinning is no longer working on devices between AN 4.1 and AN 6.0.

I tried using different OkHTTP versions but had no luck. Furthermore I tried to enforce the usage of a specific OkHTTP Version via gradle, but that didn´t change anything.

Here the code we use for Pinning: 

public CertificatePinner provideCertificatePinner(@PinForDomain(DEUTSCHE_POST) final PinnedDomain deutschePost, @PinForDomain(NOVOMIND) final PinnedDomain novomindPin, @PinForDomain(EMMI) final PinnedDomain emmiPin) {
    Log.d(LOG_TAG, "Creating CertificatePinner");
    final CertificatePinner.Builder builder = new CertificatePinner.Builder();
    builder.add("www.url.com", "sha256Key");
    return builder.build();
}

public OkHttpClient provideOkHttpClient(CertificatePinner pinner) {

    Log.d(LOG_TAG, "Creating OkHttpClient");
    final OkHttpClient.Builder clientBuilder = new OkHttpClient().newBuilder();
    clientBuilder.certificatePinner(provideCertificatePinner);
    clientBuilder.connectTimeout(BuildConfig.CONNECTION_TIMEOUT, TimeUnit.MILLISECONDS);
    clientBuilder.writeTimeout(BuildConfig.WRITE_TIMEOUT, TimeUnit.MILLISECONDS);
    clientBuilder.readTimeout(BuildConfig.CONNECTION_TIMEOUT, TimeUnit.MILLISECONDS);
    return clientBuilder.build();
}

So I tried the following things:

Forcing the usage of TLS v1.2 

ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)  
.tlsVersions(TlsVersion.TLS_1_2)
.cipherSuites(
      CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
      CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
.build();

OkHttpClient client = new OkHttpClient.Builder() 
    .connectionSpecs(Collections.singletonList(spec))
    .build();

And implementing a custom SSLSocketFactory forcing the usage of TLS v1.2 in Version under AN 4.1 according to: : https://github.com/square/okhttp/issues/2372

EDIT:

For clarification. The Pining is not working means that I´m able to intercept the connection between my App and the Backend Server => 'Man in the middle'.

Right now I´m completely lost on how to fix this Issue. Any help is appreciated.

Cheers Pascal

1 answers

solution1
 0 ACCPTED  2017-08-18 07:06:10

I found out that the Problem was not caused by OKHTTP / Retrofit, but by a misconfiguration on client side. Being fairly new in that project I didn´t know all of it.

Sorry to have bothered you and thanks for any help given

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Certificate pinning Android with Retrofit Certificate Pinning for android using OKHTTP Certificate pinning not working with OkHttp on Android OkHttp3, Retrofit and certificate pinning: how to give an expiration to the pinning Android SSL certificate pinning with retrofit OkHttp with Certificate Pinning Certificate pinning with okHttp Handle site certificate expiry with OkHttp Certificate pinning on Android Retrofit with OKHTTP3 certification pinning Retrofit2 and certificate pinning
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM