Listener for SSL pinning errors

[leabaertschi]

Hi,

we'd like to know if some request is failing due to an issue with SSL pinning. As far as I've seen the error callback parameter in react-natives XMLHttpRequest does not look any different whether you request from a non-existing domain or there's an issue with the certificate. Would it be possible to implement some listener or something similar that would be called if there is an issue with the pinned certificates?

Kind regards,
Lea

[matthieugicquel]

Hello,

While it would be nice to have, I don't plan to work on this feature at this time. If you would like to contribute it, please tell and we can discuss it further :)

[leabaertschi]

Hey, I quickly checked with some people here and we think it would be worth to invest some time and contribute. I'll be on holidays for the next two weeks though. But it would be great if we could have a chat afterwards to see how to proceed.

[leabaertschi]

Hi Matthieu, sorry, that took a bit longer. I would have time to start on this in the next weeks. Shall I just create a merge request and we go from there? Or is there something I need to know?

[matthieugicquel]

Hi,

Yes you can open a merge request :)

When looking into the topic a little, I noticed that:

• On the Android side, it seems possible to identify that an error was triggered by SSL pinning
• On iOS, it doesn't seem easy, but TrustKit has a listener mechanism instead, designed for sending the info to a logging service

What approach do you need / do you plan to implement? Specific listener, or a way to identify that an error is a pinning error, or something else?

It would be great to have the same JS API for iOS and Android, if that's technically possible despite what I wrote above

[leabaertschi]

My intention was to implement a listener. I agree that it should work the same no matter the platform on JS side. I'll look into it.