2

I would like to implement pinning on my Android app ( https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning ). In short, it's a whitelist of Public Keys that the client will accept. It's hardcoded in my client so that unless the SSL handshake has that specific public key the app won't communicate with the server.

The problem: I want to use Charles Proxy to also see the HTTPS traffic going back and forth and since Charles Proxy is essentially a MITM and signs requests with its own certificate my app rejects it.

Is there anyway to give Charles the server certificate ( I am in possession of it ) and have it use that to sign requests?

browep
  • 5,057
  • 5
  • 29
  • 37
  • I've seen folks do this with Wireshark. I don't ever recall seeing people do it with Charles or Burp. With Wireshark, you need to provide the tool with the server's key or the connection's premaster secret. See [Secure Socket Layer (SSL)](http://wiki.wireshark.org/SSL) on the Wireshark wiki. – jww Jun 24 '14 at 06:25

1 Answers1

1

The answer to Custom CA Certificate in Charles without a password references a blog post about using a Custom SSL Certificate with Charles.

http://codeblog.shape.dk/blog/2014/01/06/custom-ssl-certificate-with-charles-web-proxy/

Community
  • 1
  • 1
Kevin Hakanson
  • 41,386
  • 23
  • 126
  • 155