Due to a condition in didReceiveTrust combined with _checkValidityonly being set locally, the trust evaluation will yield false positive results and exit early when using a pinned certificate.
This should potentially be a security risk if providing a certificate using the ca property since the library essentially skips certificate validation.
Steps to reproduce
Steps to reproduce the behavior:
Connect to a server with connectTLS
Use a pinned certificate that doesn't match the server certificate
Current behavior
The code exits early and connects without validating the certificate.
Expected behavior
The certificate should be validated and connection should be dropped.
jakobjohansson
commented
5 months ago
Description
Due to a condition in didReceiveTrust combined with
_checkValidityonly being set locally, the trust evaluation will yield false positive results and exit early when using a pinned certificate.This should potentially be a security risk if providing a certificate using the
caproperty since the library essentially skips certificate validation.Steps to reproduce
Steps to reproduce the behavior:
Current behavior
The code exits early and connects without validating the certificate.
Expected behavior
The certificate should be validated and connection should be dropped.