Hello, I am writing a TrustStrategy which is processing http.spki-pinning. I have one strategy instance per fingerprint (and use it only for one host).
The isTrusted(chain, authType) method will return a CertificateException when the PIN is wrong, and it will "return false" when the pin is correct (defering all other checks to the system trust manager). I wonder now, is it guranteed that chain[0] contains the server certificate which is actually used for the handshake? The Javadoc only says "peer certificate chain" with no further description what can be dependent upon. In my special case the TrustStrategy is also executed before the TrustManager, does this mean I do need to do some more checks to make sure I actually verify the server certificate and not intermediate or excessive certificates? Using httpclient:4.5 like this: HttpClientBuilder builder = HttpClients.custom(); builder.disableCookieManagement(); builder.disableAuthCaching(); builder.disableRedirectHandling(); TrustStrategy pinnedCertTrust = new PinnedCertTrust("e93.."); SSLContext sslcontext = SSLContexts.custom().useProtocol("TLSv1.2").loadTrustMaterial(pinnedCertTrust).build(); SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext, new String[] { "TLSv1.2" }, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier()); builder.setSSLSocketFactory(sslsf); CloseableHttpClient client = builder.build(); Gruss Bernd