Skip to content

Add builder option to disable CA certificate pinning#108

Open
AaronAtDuo wants to merge 1 commit into
masterfrom
disable-ca-pinning
Open

Add builder option to disable CA certificate pinning#108
AaronAtDuo wants to merge 1 commit into
masterfrom
disable-ca-pinning

Conversation

@AaronAtDuo

@AaronAtDuo AaronAtDuo commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds disableCaPinning() method to Http and ClientBuilder that removes CA pin checks while keeping TLS verification active via the OS trust store
  • Throws IllegalStateException at build time if both disableCaPinning() and useCustomCertificates() are set (mutually exclusive)
  • Uses the same newBuilder() pattern as setProxy() and useCustomCertificates()

Test plan

  • Unit tests verify pinning is removed (empty pin set via reflection)
  • Unit tests verify default behavior unchanged (pin set non-empty)
  • Unit tests verify mutual exclusivity throws IllegalStateException
  • Manual test confirmed both paths succeed against api-483c5af7.test.duosecurity.com
  • Full test suite passes (29 tests)
  • Checkstyle passes

This PR was generated with AI assistance (Claude).

@AaronAtDuo @claude
Add builder option to disable CA certificate pinning
7e8641d 
Allows callers to opt out of CA pinning while keeping TLS verification
active via the OS trust store. This is a safety valve for customers who
cannot upgrade when a cert chain change breaks pinning.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AaronAtDuo