SSL Certificate Pinning using flutter #16066
Description
I want to add a trusted certificate to my HttpClient, but this is not very efficient. Certificates expire so I want to pin the public key. Is there a way to do this in dart/flutter?
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Participants
Activity
datagetter to X509Certificate dart-lang/sdk#33115us3soap commentedon May 29, 2018
We publish a plugin : https://pub.dartlang.org/packages/ssl_pinning_plugin to check pinning with fingerprint (SHA-1).
jamespet77 commentedon Aug 2, 2018
Is this available yet? Documentation?
us3soap commentedon Aug 2, 2018
It's operational, we are writing the documentation for the release.
jamespet77 commentedon Aug 2, 2018
That would be great. So you have a new release for the 0.5.7 beta? It doesn't seem to be compatible with the latest flutter beta. getting error:
The current Flutter SDK version is 0.5.7.
Because ssl_pinning_plugin requires Flutter SDK version ^0.4.4, version solving failed.
zoechi commentedon Aug 2, 2018
dart-lang/sdk#33115 mentions that this is now fixed in Flutter
Can anyone confirm?
long1eu commentedon Aug 2, 2018
yes it works
zoechi commentedon Aug 2, 2018
Great! Thanks for the update @long1eu 👍
giaur500 commentedon Feb 8, 2019
Well, as I can see, only sha1 is supported. This is a shame, sha1 is very weak. Any thoughts to add sha256? Sha1 is not even worth
zoechi commentedon Feb 10, 2019
@giaur500 please create a feature request in https://github.com/dart-lang/sdk/issues
sandeepcmsm commentedon Feb 18, 2019
@zoechi @mit-mit thanks for certficate pinning support. Can the SecurityContext validate a public key instead of a certificate? This is more future proof as certificate pinning comes with issues of certificate expiry. or can X509Certificate include public key sha256 signature. Since most of native apps are build on public key pinning. This has become one major blockage for our client. Can we reopen the current issue and dart-lang/sdk#33115 . since there has not been any activity on dart sdk issue from months.
pa1more commentedon Jun 6, 2019
Is this issue resolved for SHA2 certificates ?
I used webview in my application and it stopeed after i installed ssl on my server.
mleonhard commentedon Sep 26, 2019
The ssl_pinning_plugin makes its own HTTPS request and checks the certificate. It does not check certificates used by the app's real requests. I see no way to accomplish that with the plugin. This means that apps using the plugin are still vulnerable to MITM.
Edit: I requested a fix in macif-dev/ssl_pinning_plugin#3 .
github-actions commentedon Aug 27, 2021
This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of
flutter doctor -vand a minimal reproduction of the issue.