Got a question re how to do the subject, does anybody have any experience with this? The app is not in the play store, it is internal to a business and distributed accordingly. They want to protect against “man in the middle” attacks.
Hi,
I haven’t done it for android, but if using indy components,
I have used bits like this
Setup
2, 3: // fingerprint custom check.
begin
FSSLIO.SSLOptions.VerifyMode := [sslvrfPeer]; //, sslvrfPeer
sslvrfFailIfNoPeerCert
FSSLIO.SSLOptions.VerifyDepth := 0;
FSSLIO.OnVerifyPeer := SSLVerifyFingerprint;
Fingerprint Test.
Note should no longer be using sha1.
replace with SHA256AsString
function TMyConnector.SSLVerifyFingerprint(Certificate: TIdX509; AOk:
Boolean; ADepth, AError: Integer): Boolean;
var
sTemp: string;
sActualPeerName: string;
sSHA1FingerPrint: string;
begin
Result := true;
sSHA1FingerPrint := Certificate.Fingerprints.SHA1AsString;
Then check obtained fingerprint against reference fingerprint if ADepth=0
(Should only be 0 with VerifyDepth=0)
Log and fail if doesn’t match.
Need to update reference fingerprint on client everytime you replace the
server cert.
Regards
Roger
Forwarded by: [email address removed]
Date sent: Sun, 15 Aug 2021 12:43:28 +0000