react-native-tcp-socket icon indicating copy to clipboard operation
react-native-tcp-socket copied to clipboard

Published 20 hours ago verified publisher icon Rapsssito

Using a pinned certificate will always incorrectly trust peer on iOS

Open jakobjohansson opened this issue 1 year ago • 1 comments

Description

Due to a condition in didReceiveTrust combined with _checkValidity only being set locally, the trust evaluation will yield false positive results and exit early when using a pinned certificate.

This should potentially be a security risk if providing a certificate using the ca property since the library essentially skips certificate validation.

Steps to reproduce

Steps to reproduce the behavior:

  1. Connect to a server with connectTLS
  2. Use a pinned certificate that doesn't match the server certificate

Current behavior

The code exits early and connects without validating the certificate.

Expected behavior

The certificate should be validated and connection should be dropped.

jakobjohansson avatar Dec 20 '23 08:12 jakobjohansson

Bump @Rapsssito

jakobjohansson avatar Jan 28 '24 22:01 jakobjohansson