Okhttp: Certificate pinning should accept an expiration date

This "feature" can silently disable certificate pinning which may and will lead to non-updated certificate pins in many apps since developers will not notice any problems.

Let's say I'm on public wifi (say at McDonalds in another country) and my bank app developers' forgot to update certificate pinning (or app was not updated for few months) and it starts silently skip certificate pinning and make my connection vulnerable, that looks like a very real situation to me.

Another interesting consequence is that "hackers" may try intercept NTP requests and return "future" time to disable certificate pinning with expiration date to pass validation which also seems possible in case when they have some level of control over the network since they are able to do MiTM.

So, for now I'm voting 👎 against this feature, sorry, nothing personal!

@kruton any advice?

@artem-zinnatullin This should be a choice for a developer. A real world problem is an organisation forgetting to update their pins before their cert expires for instance, and they'd rather have their customers able to access things until they can roll out an update instead of deal with thousands of helpdesk calls because they can no longer log in.

@duckinferno if you need this right now, you can do it without changes in the library - just check current date before setting certificate pinning during OkHttpClient configuration :)

Note: this won't work properly for OkHttpClient instances that live for months (which is possible on backend) unless you recreate it, but should be ok for client apps with shorter lifecycle ie Android.

Won't fix. No actual since 2016 and as discussed above the client author can decide not to apply.