authentication - How to prevent clients from retrieving my server's certificate -


i have secure api mobile clients. perform certificate pinning , achieved it. problem if run command openssl s_client -connect xxx.xxxxxxxxx.com:443 can see certificate. believe whoever have url, can see certificate , connect apis.

how can prevent access certificate, mobile can access not public?

anyone connects ssl / tls server can view server's certificate because public. normal behavior.

but not mean can connect api. authentication mechanism added 1 connects has present credentials, example user/password.

with ssl/tls possible require client certificate stablish secure channel. called two ways authentication. not used mobile devices because of difficulty of distributing electronic certificates

i suggest adding authentication api if have not done so


Comments

Popular posts from this blog

php - Vagrant up error - Uncaught Reflection Exception: Class DOMDocument does not exist -

vue.js - Create hooks for automated testing -

Add new key value to json node in java -