Closed xabre closed 5 years ago
Is this the same as #33? That I will do but, your sub-domains need to be included in the certificate alt names extension.
What is failing here is not the pins themselves but the hostname validation.
I wouldn't dismiss it that easy. The underlying OkHttp implementation for Android already supports this: https://square.github.io/okhttp/3.x/okhttp/okhttp3/CertificatePinner.html -> see wildcard pinning section. If this is still on the table I am willing to help with a PR.
Will definitely take a look.
HA, I can easily do it. Expect a new version later today.
It will be out today.
Thanks for the quick implementation. I have tested this out today and it works as expected on Android but there is an issue on UWP.
I have narrowed it down to the following section of ModernHttpClient/ModernHttpClient/Utility.cs
#if __PORTABLE__ || WINDOWS_UWP
if (string.Compare(hostname, end) != 0) {
return false;
}
#else
if (string.Compare(hostname, length, end, 0, end.Length, true, CultureInfo.InvariantCulture) != 0)
{
return false;
}
#endif
specifically the #if __PORTABLE__ || WINDOWS_UWP
does not account for the sub-string of hostname and thus always compares the full hostname with the sub-pattern. The fix would be to compute the substring of the hostaname starting from the first '.' and then compare.
Example: hostname = test.example.com pattern = *.example.com
for UWP will compare test.example.com
with .example.com
and will always fail :(`
If possbile I would suggest for a .netstandard implementation to avoid the #compiler preprocessor directives.
Ok will fix that later today.
First of all thank you for breathing life back into the ModernHttpClient. I have a question regarding defining hostnames for pins.
The current implementation seems to only accept complete hostnames like:
test-example.com
We have several subdomains/enviornments for our app and I would like to pin them all using a single
Pin
entry. For example:dev.test-example.com
,prod1.test-example.com
,prod2.test-example.com
.The app should be able to deal with new sub-domains without us having to add a new certificate pin and rebuild. It would be totally cool to be able to pin something like
*.test-example.com
.Is this possible with your current implementation or is it planned as a future enhancement?