On Mon, 2016-03-21 at 14:21 +0100, Bernd wrote: > Hello, > > I am writing a TrustStrategy which is processing http.spki-pinning. I have > one strategy instance per fingerprint (and use it only for one host). > > The isTrusted(chain, authType) method will return a CertificateException > when the PIN is wrong, and it will "return false" when the pin is correct > (defering all other checks to the system trust manager). > > I wonder now, is it guranteed that chain[0] contains the server certificate > which is actually used for the handshake? The Javadoc only says "peer > certificate chain" with no further description what can be dependent upon. >
Bernd I am afraid this is the wrong place to seek an authoritative answer to this question. I believe that the first cert in the chain is the one that uniquely identifies the peer in SSL handshake, but it is merely an assumption. Oleg > In my special case the TrustStrategy is also executed before the > TrustManager, does this mean I do need to do some more checks to make sure > I actually verify the server certificate and not intermediate or excessive > certificates? > > Using httpclient:4.5 > > like this: > > HttpClientBuilder builder = HttpClients.custom(); > builder.disableCookieManagement(); > builder.disableAuthCaching(); > builder.disableRedirectHandling(); > TrustStrategy pinnedCertTrust = new PinnedCertTrust("e93.."); > SSLContext sslcontext = > SSLContexts.custom().useProtocol("TLSv1.2").loadTrustMaterial(pinnedCertTrust).build(); > SSLConnectionSocketFactory sslsf = new > SSLConnectionSocketFactory(sslcontext, new String[] { "TLSv1.2" }, null, > SSLConnectionSocketFactory.getDefaultHostnameVerifier()); > builder.setSSLSocketFactory(sslsf); > CloseableHttpClient client = builder.build(); > > > Gruss > Bernd --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org