stackoom
  简体   繁体   中英

In iOS, if pinned SSL certificate expires, do I need to re-submit the app?

 原文  2019-01-27 17:35:18       ios/ iphone/ swift/ ssl-certificate/ nsurlsession

Question

In iOS, if pinned SSL certificate expires, do I need to re-submit the app? Will the apps with old version continue to work or will not work unless they are updated?

2 answers

solution1
 3  2019-01-29 17:58:25

That entirely depends on how you pinned the certificate. Pinning a certificate means checking the certificate and its chain against a set of designated requirements that determine whether the new certificate should be accepted. There are nearly an infinite number of ways to do this, and thus nearly an infinite number of ways to shoot yourself in the foot while doing so.

As a rule:

  • If you are checking to see if the certificate's public key matches, you're fine as long as the new cert has the same public key. This is normally the simplest approach to get right, because you have the power to guarantee that a key under your direct control does not change. However, be aware that some automated certificate updating tools generate new keys by default.
  • If you are comparing the entire certificate, it will likely break, because obviously some aspects of the certificate (minimally, the expiration date) will change.
  • If you are comparing specific aspects of the certificate, such as the public key of the CA cert that signed it, it may or may not break, depending on whether those designated requirements match.

Be aware, however, that CAs periodically rotate out their signing keys to limit damage in the event of a key getting compromised. What this means is that the specific CA cert key that you pinned may not be the one that gets used to sign a subsequent certificate. And if you are doing this in an automated fashion, it isn't a question of whether you will break, but when.

For this reason, if you feel the need to do key pinning, it is strongly recommended that you pin only keys that are under your direct control, and that you force any automated update tools to reuse the existing key pair.

solution2
 1  2019-01-27 17:42:42

No. once you install ssl on your site or renew old one, it will start working. no need to resubmit the app.

read more at SSL Pinning and certificate expiry

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question iOS - Do I need to re-submit in-app purchases after rejecting binary Privacy policy changed in iOS 10, do we need re-submit our app? App under “Export Compliance Review” - should I re-submit? can I submit an iOS app with self signed SSL certificate? I need to purchase an SSL certificate to use through a heroku server and iOS app. What exactly do I need? Metadata rejected - To re-submit or not? Need the default SSL certificate validation in iOS app what do you do when an ssl certificate expires and your app uses ssl pinning? Do I need to submit a 1024*1024 iTunesArtwork for my iOS app? Do I need to create both Development and Production SSL Certificate Xamarin.iOS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM