Skip to content

Add builder option to disable CA certificate pinning#56

Open
mihir-pradhan wants to merge 1 commit into
mainfrom
ztcapin-505
Open

Add builder option to disable CA certificate pinning#56
mihir-pradhan wants to merge 1 commit into
mainfrom
ztcapin-505

Conversation

@mihir-pradhan

Copy link
Copy Markdown

Summary

  • Adds disableCaPinning() method to Client.Builder that disables the bundled CA certificate pin set while keeping TLS verification active via the system trust store
  • Validates mutual exclusivity with setCACerts() — throws DuoException if both are used
  • Uses CertificatePinner.DEFAULT in OkHttp when pinning is disabled

Test plan

  • disableCaPinning() builds a client successfully
  • Combining disableCaPinning() with setCACerts() throws (both orderings)
  • Pins are empty when pinning is disabled (verified via reflection)
  • Pins are present by default (verified via reflection)
  • Proxy + disabled pinning works
  • All existing tests still pass (44 total)

Relates to: https://cisco-sbg.atlassian.net/browse/ZTCAPIN-505

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant