I have an application that uses certificate pinning (using the root certificate) which works and does the job (using SecurityContext), it fails when the certificate is missing or in some way invalid. However, it doesn't seem to work when the certificate is revoked specifically on Android devices, it does fail on iOS devices. I expect to see a HandshakeException but instead it continues making http calls even though the certificate is revoked (also tested this with https://revoked.badssl.com/).
Now I noticed that if I visit https://revoked.badssl.com/ in the browser on my Android device (or using any kind of WebView based browser), I don't get an error (which I do expect and am getting on my desktop and iOS device). Considering this is a general Android issue, if I still want to check if the certificate isn't revoked or do OCSP validation, how do I go about doing this in Flutter? I couldn't find any specific information regarding this other than Java/Kotlin implementations.
from Certificate revocation in Flutter
No comments:
Post a Comment