search

DocMarty84 / miniflutt

Another Miniflux client.
MIT License
115 stars 16 forks source link

HTTPS Connection #24

Open ballj opened 2 years ago

ballj commented 2 years ago

When trying to enter the server address using HTTPS, the device correctly sends the packet but does not look to complete the SSL handshake. A packet capture shows that HTTPS traffic is going out.

The only error message on the app is 'Connection Failed'.

Webserver error log: time="2022-09-18T23:20:32Z" level=debug msg="http: TLS handshake error from X.X.X.X:47554: EOF" time="2022-09-18T23:20:33Z" level=debug msg="http: TLS handshake error from X.X.X.X:47556: EOF" time="2022-09-18T23:20:35Z" level=debug msg="http: TLS handshake error from X.X.X.X:47558: EOF" time="2022-09-18T23:20:37Z" level=debug msg="http: TLS handshake error from X.X.X.X:47548: EOF"

Browsing using the phone's Chrome browser works fine (no errors). The site uses a custom CA that is trusted by the phone.

DocMarty84 commented 2 years ago

To be honest, I don't have any experience with a custom CA trusted by the phone. Does that occur with, let's say, a Let's Encrypt certificate?

reyqn commented 1 year ago

I've got the same issue, I wanted to use https on miniflux to use it as a pwa on android, but this broke miniflutt. I can confirm this works with "real" CAs though.

ballj commented 1 year ago

Any update to this one? Looks like it works with a bundled CA but not a custom added to the Android system. It maybe possible to add a flag to trust 3rd party CA, or load custom ones into app?

olmokramer commented 9 months ago

I'm experiencing the same issue, using Nginx as a reverse proxy with a Let's Encrypt certificate.

DocMarty84 commented 6 months ago

@ballj @reyqn Could you please try this build: https://github.com/DocMarty84/miniflutt/pull/40#issuecomment-2094252283 ?

@olmokramer If you are using Nginx as a reverse proxy with a Let's Encrypt certificate, then something must be incorrect in your configuration since it should work (I have the same kind of config).

olmokramer commented 6 months ago

@DocMarty84 thanks for replying. It's working now but I don't remember if I actually needed to fix anything or what that fix would've been.

ballj commented 6 months ago

@DocMarty84, tried today, showing as build 1.11.0 when installing from APK. No luck at the moment. Could you confirm if it should show 1.11.0? (want to make sure it got installed correctly from the dev build)

You you should be able to create a test setup using the following steps (for testing only - dont use in any production):

  1. Create a custom CA:

    openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1826 -out ca.crt -subj '/CN=MyOrg Root CA'

  2. Create CSR for the webserver (change DNS to match correct domain):

    openssl req -new -nodes -out server.csr -newkey rsa:4096 -keyout server.key -subj '/CN=miniflut.example.com' -addext 'subjectAltName = DNS:miniflut.example.com' -addext 'extendedKeyUsage = critical, serverAuth' --addext 'keyUsage = critical, digitalSignature, keyEncipherment'

  3. Sign CSR with CA:

    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 90 -sha256 -extensions v3_req -copy_extensions copy

  4. Load the CA into the android trust store Will differ per device, but should be able to transfer ca and then open it with the file manager. This will prompt android to load it into trust store.

On the the webserver: Add server.crt and server.key onto the webserver. On miniflux, set the following vars:

CERT_FILE=/path/to/server.crt
KEY_FILE=/path/to/server.key
  1. Test from a browser on android - Chrome for example (I think Firefox on android, the setting for custom certs needs to be enabled in advanced options)
  2. Test from miniflutt application