Disable hostname verification for our CA certificate only

We previously left this in, since it's generally better to follow TLS rules, but there's one case where it matters: when a client sends a request without using SNI, and so the proxy may not show the right certificate. We want to allow that, and to do so we need to ensure that hostname checks are skipped (but only for our CA - not for any others, which must still follow normal TLS rules).
httptoolkit · Nov 13, 2023 · de4493d · de4493d
1 parent 15869c6
commit de4493d
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/android/android-certificate-unpinning.js b/android/android-certificate-unpinning.js
@@ -150,6 +150,40 @@ const PINNING_FIXES = {
 
     // --- Native HostnameVerification override (n.b. Android contains its own vendored OkHttp v2!)
 
+    'com.android.okhttp.internal.tls.OkHostnameVerifier': [
+        {
+            methodName: 'verify',
+            overload: [
+                'java.lang.String',
+                'javax.net.ssl.SSLSession'
+            ],
+            replacement: (targetMethod) => {
+                // Our trust manager - this trusts *only* our extra CA
+                const trustManager = getCustomX509TrustManager();
+
+                return function (hostname, sslSession) {
+                    try {
+                        const certs = sslSession.getPeerCertificates();
+
+                        // https://stackoverflow.com/a/70469741/68051
+                        const authType = "RSA";
+
+                        // This throws if the certificate isn't trusted (i.e. if it's
+                        // not signed by our extra CA specifically):
+                        trustManager.checkServerTrusted(certs, authType);
+
+                        // If the cert is from our CA, great! Skip hostname checks entirely.
+                        return true;
+                    } catch (e) {} // Ignore errors and fallback to default behaviour
+
+                    // We fallback to ensure that connections with other CAs (e.g. direct
+                    // connections allowed past the proxy) validate as normal.
+                    return targetMethod.call(this, ...arguments);
+                }
+            }
+        }
+    ],
+
     'com.android.okhttp.Address': [
         {
             methodName: '$init',