I am writing a client app for Air in FB 4.7 and AS3. The app makes a call to an authentication service that sits behind nginx that is set up for SSL. I can successfully implement "certificate pinning" with SecureSocket, but can't figure out how to then send an HTTP request using SecureSocket. I understand the main use case for SecureSocket is for direct TCP socket communication, but I can't figure out how to do certificate pinning with UrlRequest/UrlLoader.
Is it possible to:
1.) Send an HTTP request with SecureSocket, with which I've already been able to enable "certificate pinning".
2.) Gain access to the server cert with UrlRequest/UrlLoader (or HttpService or UrlStream...) so that I can compare with a locally stored public key or copy of the server's cert.
3.) Using UrlLoader, automatically distrust invalid certs: If someone intercepts the request with a self-signed cert, don't prompt the user and allow them to continue even with an untrusted cert.
4.) Some other method of preventing man-in-the-middle attacks that I'm not thinking of...
Any help with this would be hugely appreciated!