SSL Certificate Pinning not working anymore on Android 9

别说谁变了你拦得住时间么 提交于 2019-12-05 05:59:46

I just had the same issue. According to the Android 9 Change-Log this is expected for certificates without SAN:

RFC 2818 describes two methods to match a domain name against a certificate—using the available names within the subjectAltName (SAN) extension, or in the absence of a SAN extension, falling back to the commonName (CN).

However, the fallback to the CN was deprecated in RFC 2818. For this reason, Android no longer falls back to using the CN. To verify a hostname, the server must present a certificate with a matching SAN. Certificates that don't contain a SAN matching the hostname are no longer trusted.

Source: Hostname verification using a certificate

PRAMOD KUMAR

To verify a hostname, the server must present a certificate with a matching SAN. Certificates that don't contain a SAN matching the hostname are no longer trusted.

My Query is if the Certificate is a wildcard like *.mydomain.com for a domain like online.mydomain.com . Will the SAN *.mydomain.com will work or the wildcard is no longer supported?

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!