Expired certificate

[ThreeDeeJay]

Prerequisites

Describe the feature

Some download sites like MiniLyrics have an expired certificate, which causes this error:

HandshakeException: Handshake error in client (OS Error: CERTIFICATE_VERIFY_FAILED: certificate has expired(handshake.cc:393))

So it would be nice to have an option to proceed with the download anyway

Describe alternatives you've considered (if applicable)

Firefox is able to download the APK after prompting the user to proceed with the expired certificate

Additional context

I'm not sure how often this app is updated (even the UI is rather old and buggy, but the main functionality of downloading scrolling song lyrics -for better players that can't do out themselves like Musicolet- still works) Also I'm not sure if this would create a vulnerability (I think if there's a worst case scenario like a MITM attack that redirects download to a modified APK, signature mismatch would prevent installation anyway), so it should definitely require explicit user confirmation like Firefox

[DwainZwerg]

so it should definitely require explicit user confirmation like Firefox

Yes.

[akramer-zibra]

Technically its possible to override the HTTP client behaviour in case of a CERTIFICATE_VERIFY_FAILED error. This stackoverflow answer shows how https://stackoverflow.com/a/61312927/2145395 . But this example uses the dart:io library and not package:http/http.dart like Obtainium does. It seems as if there is no possibility for this configuration with the http-package (https://pub.dev/documentation/http/latest/http/Client-class.html).

UPDATE: The solution above using HttpOverrides may also work with package:http, but only in combination with the IOClient of the http-package: https://github.com/dart-lang/http/issues/458 and also https://github.com/dart-lang/http/issues/267

[soredake]

@ImranR98 maybe Obtainium can just ignore different hostnames? Downloading .xapk through browser does not produce any errors.

[soredake]

@ImranR98 tried v1.1.21 release, now I see different error with "allow insecure http requests", I think obtainium should not care from which domain does apk came, It is normal on uptodown that (x)apk comes from different domain.

New error:

[ImranR98]

Never seen that error, it's not something obtainium is checking for explicitly. What's the url you're adding?

[soredake]

@ImranR98 this url https://fate-grand-order.en.uptodown.com/android/download, can be reproduced with steps from this issue

[ImranR98]

If it's this one: https://fate-grand-order.en.uptodown.com/android

I was able to download it without problems (it couldn't install but that's a separate issue).

[soredake]

@ImranR98 unfortunately uptodown url without "/download" resulting in apk not found error:

[ImranR98]

That's weird, Obtainium should be trimming the path anyways

[soredake]

Created dedicated issue about this https://github.com/ImranR98/Obtainium/issues/1827