search

JagandeepBrar / lunasea

Self-hosted software controller built using Flutter
https://www.lunasea.app
GNU General Public License v3.0
1.31k stars 64 forks source link

[Bug] Self signed TLS trusted by OS is not trusted by app #255

Closed danopia closed 4 years ago

danopia commented 4 years ago

Describe the Bug When configuring an endpoint with self signed certificates, it seems that the app uses a certain fixed trust store. I have added a CA certificate to the Android OS, so Chrome trusts the connection, but LunaSea is still requiring that certificate validation is disabled.

To Reproduce Unfortunately not the easiest setup to reproduce because you need a Certificate Authority. Maybe easiest to install Charles Proxy or another tool that can MITM HTTPS, since they will make a certificate file for you.

Anyway, once you have one:

  1. Install the .pem certificate into Android via Settings -> Security -> Encryption -> Trusted credentials
  2. Point LunaSea at a server using that certificate
  3. Test Connection

This log line is generated: DioError [DioErrorType.DEFAULT]: HandshakeException: Handshake error in client (OS Error: CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:354))

Expected Behaviour As long as the certificate authority is trusted by the operating system, I would expect it to be trusted by the app as well. I should be able to access such servers without disabling server validation.

Versions Latest, on Android 11

Additional context I looked into the flutter side a bit and it sounds like flutter is using its own ca bundle: https://github.com/flutter/flutter/issues/41781#issue-501543862 which would be annoying.

JagandeepBrar commented 4 years ago

There is an option for each module to disable strict SSL/TLS validation. This will disable the check against the built-in certificate authority for Flutter. Is this happening even with this option disabled?

Currently there is no easy way to add a certificate to the built-in CA. The certificate needs to be included as an asset, which obviously does not work when each user brings their own certificate.

JagandeepBrar commented 4 years ago

Since you haven't responded I assume the above option has solved the issue. If this is still an issue with your certificates, please reopen the issue with some additional information relating to your certificate.

komaxx commented 2 years ago

@JagandeepBrar Responding in place of @danopia: This issues still exists on Android: User-installed certificates are not honored by Flutter. Requests will work if TLS is deactivated, for example by providing a badCertificateCallback for a HttpClient.

See also: https://github.com/dart-lang/sdk/issues/48056 https://github.com/flutter/flutter/issues/41781

danopia commented 2 years ago

I forgot that I had filed this :D

I believe Lunasea does have a 'disable TLS verification ' checkbox as noted above. Have you tried that?

I never want to disable TLS verification myself, so for this and other reasons I eventually just switched to real TLS certificates.