Hello Jaime,

Is It possible to generate and use an hash from the root certificate (or intermediate certificate) since it has more extended expiration date?

Appreciate your help.

Cheers,

Ricardo Brito

Hi,

This site generate the hash:

https://report-uri.com/home/pkp_hash

Cheers,

Bruno Cantante

Hello!

I'm starting to be upset by not having an error at all :(

I'm using it on my personal environment to test this and it doesn't matter the hash I use in the configuration file, it always works!

Can anyone confirm that the plugin is working the way it should?

Thanks!

Hello, Mikael,

Have you re-generated and reinstalled the app after updating the hashes? Remember that, for these native changes such as these to become effective, a new app must be generated.

Best regards,

Carlos Simões

I see. The other thing that happened to me a couple of times was that I mistakenly thought connections were being allowed, while in reality the app was still working, but in offline mode (AFAIK, this is only the case for one of the platforms, Android I think).

Could you please sanity check if calling a server action on the app is successful?

Best regards,

Carlos Simões

If you haven't changed any of the default Login logic, then yes: a server action is definitely being called.

Well, it looks like you've checked pretty much everything. As a final sanity check, could you confirm if the "pinning.json" file points to the exact hostname you are trying to pin? Wildcards and sub domains are not allowed, so it must match the hostname you want to validate exactly.

If that checks out, could you please open a support case with us, so we can have a look at what's wrong?

Thank you for your patience, and best regards,

Carlos Simões

Hi guys, 

Does SSL pinning plugin already support blob URL?

Thanks.

Tiago Agostinho

Executing the following openssl command: 

openssl x509 -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

you may get the following error:

unable to load certificate
(...)Expecting: TRUSTED CERTIFICATE

To solve that just specify that your certificate is in the "DER" format (and not in the PEM, which is the default), with the instruction "-inform DER". So the command should be like: 

openssl x509 -inform DER -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Hello all,

Just a quick feedback if you fall on this pitfall:

• No wildcards or subdomains are allowed in the host. You must insert the full hostname of your server;

You can use a certificate with a wildcard to re-use on your environments which are segregated in subdomains for example:

• Certificate: *.outsystems.net
• Development Environment: cs11dev.outsystems.net
• Development Environment: cs11qa.outsystems.net

As you notice the environment hostname is a subdomain, this doesn't invalidate it can't be configured in the pinning.json. 

By default, the environment hostname is used but if you have customized the Mobile App Domain Name then this is the hostname which will be used in the SSL Pinning configuration. 

Make sure you are using the hostname which the mobile package was generated and the respective certificate is for that same hostname! 

As a final result the pinning configuration file should look like this:

And always validate the certificate chain by checking the SSL Checker and also the output of the Create your HPKP hash:

Hello, guys,

As stated on a recent email, OutSystems is renewing the "*.outsystemsenterprise.com" certificate and installing as the default for cloud infrastructures April 2020 (as mentioned on this article).

If your mobile app uses SSL Pinning and its server is using this certificate (i.e. if either the “DefaultDNSName” or “Environment hostname” values have a hostname ending in “outsystemsenterprise.com”), then you should do the following steps as soon as possible:

1. Add its new thumbprint/hash to the pinning configurations of your mobile app (you can see the value on the FAQ of this article);

2. Generate and distribute your mobile app.

Make sure you keep both the old and new certificate thumbprints/hashes on the configuration until the certificate has been switched for your environment. At that point, you can safely remove the old hash, generate and distribute a new version of the app.

Does anyone still use this SSL pinning? It seems to be deprecated and no longer supported by many browsers: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning. See here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

A note:

If the same value is used for the new hash and for the old one,

"hashes": [
          "sha256/CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=",
          "sha256/CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="
          ]

 on iOS, the build is generated but does not start.