Waboodoo
commented
1 year ago As of version 3.2.0, the app now allows to configure a shortcut to check the server certificate's fingerprint against a given one. This should allow the safe use of self-signed certificates. More details here: https://http-shortcuts.rmy.ch/advanced#self-signed-certificates
Is your feature request related to a problem? Please describe. Currently the app doesn't support pinning self signed certificates that are very useful in all sorts of hobbyist home automation projects. Without certificates no type of authentication has sense and accepting any certificate isn't a great idea even in LAN let alone WLAN.
Describe the solution you'd like I think the current mechanism of verifying certificates based on fingerprints should be extended to support self signed certificates. If the verification is currently done by app code (not some builtin Android mechanism) this extension should be fairly easy to add. Simple comparison of pinned and received fingerprint should be sufficient. I'm not sure how to treat a hostname pattern is self signet certificates though.
Describe alternatives you've considered An ability to pin certain certificate directly to a specific shortcut (not to all shortcuts in app like it's implemented now) could bring more granularity to this feature but on the other hand could also be an overkill. Always trusting a certain certificate seems OK too but this is an alternative approach to consider.
Additional context This feature idea came from this discussion.