For context, I'm one of the OkHttp maintainers. Yes, generally we generally just use the system certificates. But we could provide a 20 line example for app developers to use if we know what that looks like.
val cert: X509Certificate = """
-----BEGIN CERTIFICATE-----
MIIBFzCBwgIJAIVAqagcVN7/MA0GCSqGSIb3DQEBBAUAMBMxETAPBgNVBAMMCGNh
c2guYXBwMB4XDTE5MDkwNzAyMjg0NFoXDTE5MDkwODAyMjg0NFowEzERMA8GA1UE
AwwIY2FzaC5hcHAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA8qAeoubm4mBTD9/J
ujLQkfk/fuJt/T5pVQ1vUEqxfcMw0zYgszQ5C2MiIl7M6JkTRKU01q9hVFCR83wX
zIdrLQIDAQABMA0GCSqGSIb3DQEBBAUAA0EAO1UpwhrkW3Ho1nZK/taoUQOoqz/n
HFVMtyEkm5gBDgz8nJXwb3zbegclQyH+kVou02S8zC5WWzEtd0R8S0LsTA==
-----END CERTIFICATE-----
""".trimIndent().parsePemCertificate().toX509Certificate()
val handshakeCertificates = HandshakeCertificates.Builder()
.addPlatformTrustedCertificates()
.addTrustedCertificate(cert)
.build()
val client = OkHttpClient.Builder()
.sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager)
.build()
With the Sectigo issue, there was an existing replacement CA certificate but bugs in older Android stopped it getting used. Switching to the Conscrypt TrustStore impl was an effective fix.
IMHO We wouldn't ship root certificates in OkHttp, it's not our job and makes us the weakest point.
A few concrete questions
- Is there a test server already?
- Can we write and self answer the stackoverflow question for Android OkHttp users now ahead of this hitting client?