fritzbox-java-api icon indicating copy to clipboard operation
fritzbox-java-api copied to clipboard

Published 20 hours ago verified publisher icon kaklakariada

Support TLS certificate validation

Open Abb4d0n opened this issue 2 years ago • 2 comments

Currently, the TLS certificate of the FritzBox is not validated, which makes the library vulnerable to machine-in-the-middle attacks.

It would be better to support some kind of certificate pinning by comparing the hash of the FritzBox's certificate with the provided hash. Another solution would be to compare the fingerprint of the certificate with the provided fingerprint.

Abb4d0n avatar Aug 06 '22 20:08 Abb4d0n

@Abb4d0n Thank you for your proposal! OkHttp (the HTTP client we use) supports certificate pinning, but only for non-self-signed certificates (see https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/#note-about-self-signed-certificates).

I am thinking about migrating from OkHttp to the HTTP client included in JDK 11. Then I will revisit your proposal.

kaklakariada avatar Aug 08 '22 18:08 kaklakariada

Blocked by #51

kaklakariada avatar Aug 08 '22 18:08 kaklakariada