I'm developing an Android application (Jetpack Compose with Ktor) that communicates with a server I am building in Go (with Gin).
While I have checked that everything works locally between the application and the server, I am at a stage where I want to make my server only respond to requests from my application (when it goes live). These requests should also be secure as much as they can be so I learned I need to use SSL with a client certificate.
This is something where I lack knowledge in, so please forgive my ignorance.
I have read many SO questions (some of them are outdated or don't refer to current libraries) and other resources online, and since this is a personal project, I have understood that I can:
- Create a self signed certificate (using OpenSSL)
- Use it inside the application
- Configure the Ktor client to use SSL
I am still unsure on what needs to be done server side, but we will get to that later in this question.
After creating the certificate, I put it inside the res/raw resource folder (certificate has a .der file extension) and I am unfamiliar with the configuration I need to make for the Ktor client.
I currently have this in place for the Ktor client:
HttpClient(Android) {
install(ContentNegotiation) {
json(
Json {
ignoreUnknownKeys = true
}
)
}
}
and I read about the different engines in Ktor client, but it seems like I need to use the Android one. On one part of the official documentation, it says to use the network security config XML file to configure SSL in Ktor, but a bit down the page, the official documentation talks about the sslManager property, which kind of confuses me.
- What do I need to do in order to setup the Ktor client to use the certificate in requests?
- What do I need to do on the server side to accept only the requests which are valid?
I know this is a two-part question and it involves two different languages, but you actually can't just do the client part without the server side.
References:
