Third party API and SDK not working.

[naser-shaikh]

Describe the bug I am using trustkit 1.0.1 in my Android project. my setting is enforcePinning = "false". APIs for domain which i have mentioned in domain tag works well but rest of the other APIs are failing "Certificate validation failed". i have Urban Airship, Facebook, aws APIs and SDK in project which are failing. i am not able to launch Urban airship, can not download images from AWS.

To Reproduce When ever i launch application.

Expected behavior I need SSL pinning for my mentioned domain only and rest of the third party APIs and SDK should work as they are working without pinning.

TrustKit configuration `<?xml version="1.0" encoding="utf-8"?>

********.com **** **** ` **App details:** - App target SDK: 26 - App language: Java - Android version to reproduce the bug [Android N] **Update:** Log showing urban Airship blocked. ` - UALib: Request - Request failed URL: https://device-api.urbanairship.com/api/named_users/associate/ method: POST javax.net.ssl.SSLHandshakeException: Certificate validation failed for www.*****.com at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:368) at com.android.okhttp.Connection.connectTls(Connection.java:1510) at com.android.okhttp.Connection.connectSocket(Connection.java:1458) at com.android.okhttp.Connection.connect(Connection.java:1413) at com.android.okhttp.Connection.connectAndSetOwner(Connection.java:1707) at com.android.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:133) at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:466) at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:371) at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:503) at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:130) at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:261) at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getOutputStream(DelegatingHttpsURLConnection.java:218) at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java) at com.android.tools.profiler.support.network.httpurl.TrackedHttpURLConnection.getOutputStream(TrackedHttpURLConnection.java:314) at com.android.tools.profiler.support.network.httpurl.HttpsURLConnection$.getOutputStream(HttpsURLConnection$.java:266) at com.urbanairship.http.Request.execute(Request.java:180) at com.urbanairship.push.BaseApiClient.performRequest(BaseApiClient.java:53) at com.urbanairship.push.NamedUserApiClient.associate(NamedUserApiClient.java:52) at com.urbanairship.push.NamedUserJobHandler.onUpdateNamedUser(NamedUserJobHandler.java:120) at com.urbanairship.push.NamedUserJobHandler.performJob(NamedUserJobHandler.java:75) at com.urbanairship.push.NamedUser.onPerformJob(NamedUser.java:97) at com.urbanairship.job.Job$1.run(Job.java:91) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:762) Caused by: java.security.cert.CertificateException: Certificate validation failed for www.*******.com at com.datatheorem.android.trustkit.pinning.PinningTrustManager.checkServerTrusted(PinningTrustManager.java:148) at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:182) at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:617) at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:364) at com.android.okhttp.Connection.connectTls(Connection.java:1510)  at com.android.okhttp.Connection.connectSocket(Connection.java:1458)  at com.android.okhttp.Connection.connect(Connection.java:1413)  at com.android.okhttp.Connection.connectAndSetOwner(Connection.java:1707)  at com.android.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:133)  at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:466)  at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:371)  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:503)  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:130)  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:261)  at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getOutputStream(DelegatingHttpsURLConnection.java:218)  at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java)  at com.android.tools.profiler.support.network.httpurl.TrackedHttpURLConnection.getOutputStream(TrackedHttpURLConnection.java:314)  at com.android.tools.profiler.support.network.httpurl.HttpsURLConnection$.getOutputStream(HttpsURLConnection$.java:266)  at com.urbanairship.http.Request.execute(Request.java:180)  at com.urbanairship.push.BaseApiClient.performRequest(BaseApiClient.java:53)  at com.urbanairship.push.NamedUserApiClient.associate(NamedUserApiClient.java:52)  at com.urbanairship.push.NamedUserJobHandler.onUpdateNamedUser(NamedUserJobHandler.java:120)  at com.urbanairship.push.NamedUserJobHandler.performJob(NamedUserJobHandler.java:75)  at com.urbanairship.push.NamedUser.onPerformJob(NamedUser.java:97)  at com.urbanairship.job.Job$1.run(Job.java:91)  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)  at java.lang.Thread.run(Thread.java:762) `

[sujayjaju]

Same issue for me. TrustKit for iOS only checks pinning for the configured domains. Android seems to be enforcing pinning for all domains.

[nabla-c0d3]

This is a known limitation; see https://github.com/datatheorem/TrustKit-Android/blob/master/README.md#limitations

[nabla-c0d3]

More specifically: "The SSLSocketFactory or X509TrustManager provided by TrustKit can only be used for connections to the domain that was passed to the getTrustManager() and getSSLSocketFactory() methods".