Certificate pinning


#1

Hello there!

I wasn’t able to confirm this information from the documentation, but do you use certificate pinning inside your SDK when connecting to your servers?

Thank you!


#2

To my knowledge, there’s no certificate pinning in SDKs.
Often the platform or the SDK itself will provide a hook which allows you to pin any certificate you want like sentry.io or to your self hosted Sentry.

I wonder if it was already considered to add it by default, when the DSN points to sentry.io for example.

Do you have a regulatory requirement or another motivation for this?

/cc @mitsuhiko, @HazAT


#3

Yeah, we need it for regulatory reasons.

Can you link me to the method that provides the hook? We are using a sentry.io-hosted instance.

Thank you!


#4

This is an example for .NET Framework.
For .NET Core (or any other runtime) on the new .NET SDK you can do it through the callback to HttpClientHandler when it’s created.

Which SDKs are you using?


#5

The Android SDK.


#6

It looks like this can be done via app configuration without having to change any code:


#7

Thank you, @bretthoerner, for your response!

A couple of things:

  • Network security configuration is available only starting from Android N (although a backport does exist)
  • From our perspective, we would ideally prefer if sentry would do this automatically, given that it is not a good idea to pin to a certificate that one does not own (in case it changes)

#8

That’s fair, I’ve created an issue on sentry-java for now: https://github.com/getsentry/sentry-java/issues/623


#9

Thank you.