Implement SSL certificate pinning

As part of enhancing the security of SSL/TLS communications, SSL certificate pinning can be an important element in your security strategy. This topic will walk you through the process of implementing certificate pinning.

Understanding Certificate Pinning

Certificate pinning involves hardcoding the certificate that is known to be used by the server within the client application. During the SSL handshake, the presented server certificate is matched against this pre-configured certificate in the client’s keystore.

The key points of certificate pinning include: - The client application is explicitly aware of the server’s certificate. - Any mismatch between the expected certificate and the presented certificate during the handshake will lead to the client terminating the session, thereby preventing man-in-the-middle attacks.

Notice

There are no specific build flags required to implement certificate pinning.

Configuring Certificate Pinning

Follow these steps to set up certificate pinning:

In your client application, make use of the CERT_STORE_addTrustPoint API function to add the server’s certificate that you want to pin against. This is done so that the client trusts the server certificate without needing to validate the entire certificate chain.

By executing this process, you are directly validating the server certificate as trusted during the SSL handshake. This means that the typical chain of trust validation is not performed, and the session security relies on the match of the hardcoded certificate.

In this section:

Implement SSL certificate pinning

Understanding Certificate Pinning

Notice

Configuring Certificate Pinning

Search results