Multiple questions related to Dynamic TLS/SSL Pinning

[estelle-lnd]

Hello everyone,

We are currently reviewing your solution for dynamic SSL Pinning for our mobile apps and have a few questions about its usage and functionality.

 
We understood that the global mechanism relies on certificate expiration date, but our questions is linked to the typical use case when the server certificate is changed unexpectedly (so independently of certificate expiration date).

1 - How the mobile client handles this case (so after a failed connection) and how on the server side, certificate fingerprint library is kept updated ?

2 - We also noted the UpdateMode.forced that forces an update. Is it good practice to always force an update ? Can the force update be done after an authentication challenge fails ?

**3 - Should the server application have access to some kind of a certificat repository maintained up to date, or can it detect live the certificat change on the real url and maintain on its on own the fingerprint library updated ?**
 

Other questions related to your solution :

 
4 - If we decide to deploy the service on our own domain, is there any exchange with your server ? If so, what does the exchange entail?

 
5 - How is Wultra handling certificate storage ? Can you confirm that you store both fingerprints and certificates ?
https://github.com/wultra/mobile-utility-server/blob/develop/docs/Database-Structure.md
From this documentation, it seems that you store both fingerprint and the pem file

6 - In which cases the Dynamic SSL Pinning Utility Tool can be used ?
https://github.com/wultra/ssl-pinning-tool

We appreciate your assistance. 



Thank you.

[petrdvorak]

Hi @estelle-lnd,

Thank you for the detailed questions!

1. If the certificate validation fails, a global observer in our solution is triggered, and you can update certificates using the FORCE mode to restore the app's ability to communicate.

2. See above. :) Typically, you would not use the FORCE mode as the certificate is rarely abruptly changed. However, if you know you need to update the certificate, this mode can be helpful.

3. Typically, you would push the certificate to our systems once it is renewed. We do support "auto-update" mode, but the issue is that it relies on the certificate we can see (making it a bit less secure).

4. If you deploy the solution on-premises, there is no communication to our servers. Note that we distribute the server-side under a restrictive AGPLv3 license, so you should still purchase a solution license.

5. Yes, we store PEM too.

6. The utility is no longer relevant, we mostly use it for testing.

We will be happy to show you more in person - could you please reach out to [email protected]?

With kind regards

Petr D.