authentication - How to prevent clients from retrieving my server's certificate -
i have secure api mobile clients. perform certificate pinning , achieved it. problem if run command openssl s_client -connect xxx.xxxxxxxxx.com:443
can see certificate. believe whoever have url, can see certificate , connect apis.
how can prevent access certificate, mobile can access not public?
anyone connects ssl / tls server can view server's certificate because public. normal behavior.
but not mean can connect api. authentication mechanism added 1 connects has present credentials, example user/password
.
with ssl/tls possible require client certificate stablish secure channel. called two ways authentication. not used mobile devices because of difficulty of distributing electronic certificates
i suggest adding authentication api if have not done so
Comments
Post a Comment