search

airsdk / Adobe-Runtime-Support

Report, track and discuss issues in Adobe AIR. Monitored by Adobe - and HARMAN - and maintained by the AIR community.
206 stars 11 forks source link

[Feature Request] Ability to suppress network security popups about invalid certificates #1453

Open itlancer opened 2 years ago

itlancer commented 2 years ago

Feature Description

AIR should have ability to suppress network security popups about invalid certificates programmatically. Right now if something goes wrong with HTTPS SSL certificate checks using URLLoader/URLStream/Loader/StageWebView/Socket/SecureSocket/NetConnection- application (OS) just show network security error/popup like these: image image

Such popups cause application "hanging" (sometimes crash) until user choose something. Moreover, for some retail kiosk there could be no user and application just stop working. That why we need a way to programmatically control it: 1) By default it should works as is. Let user decide what to do. 2) If such network security issue happens - some event should be fired and via AS3 logic we can get all necessary information about it (including certificate information), make some additional checks to decide “block” or “allow” connection via some SecurityEvent::preventDefault() or something like that. In such case there shouldn't be any popups. And application could programmatically allow/block it and show custom visual notification without hanging/crashing.

There are a lot of different reasons of this issue:

You can use https://badssl.com/ to test it.

This feature need for all platforms. May be only iOS have some restrictions about that.

Related links: https://stackoverflow.com/questions/4072377/how-can-i-bypass-or-detect-ssl-certificate-before-the-message-is-shown-in-adobe https://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/security/CertificateStatus.html

Known Workarounds

none

2jfw commented 2 years ago

Though this is not the answer to your request, I am pretty sure that you cannot simply suppress these notifications per default as they are coming directly from Windows itself ("Adobe uses the underlying OS certificate store", https://stackoverflow.com/questions/2187758/ssl-client-side-certificate-authentication-in-adobe-air). We are also encountering this and need to work with own trusted root certificates generated for specfic domains/hosts.

Harman would likely have to come up with a custom solution (certificate store) for this - sounds complicated but maybe I'm wrong, so please take my words with a grain of salt on this.

EDIT: In the link there is a work-around described. Maybe this helps...

al-sabr commented 2 years ago

This might maybe connected to this thread : #1439

al-sabr commented 2 years ago

Actually there's a hack for this problem. One might use the Windows handling capabilities of the Win32 API to always check if the specific window if showing and if yes then get the handle of the button to press and once the handle is acquired you can internally trigger the button with a virtual click and the Window will disappear.

I think each OS have their own handling API the task is to find them.

I hope this help

Windows : https://www.google.com/url?sa=t&source=web&rct=j&url=https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindow&ved=2ahUKEwi82Ongx9n2AhUP-aQKHeKJDm8QFnoECAwQAQ&usg=AOvVaw0-q9u2fhsycES_juGALyNV

itlancer commented 1 year ago

@ajwfrost Just check new certificateError event with Windows devices and URLLoader using latest AIR 50.2.3.1. It works as expected, thank you! Now we can suppress network security errors popups. What I would like to see in future versions: 1) New event as a proper class. 2) Get information about certificate and reason of error to "make a decision" about preventing or allowing request.

Also I will try to check the same using URLStream/Loader/StageWebView/Socket/SecureSocket/NetConnection and other platforms.

itlancer commented 1 year ago

@ajwfrost certificateError event doesn't fired with StageWebView. Tested with Windows devices using <UseWebView2>true</UseWebView2>. Also tested with Android devices without <runtimeInBackgroundThread>true</runtimeInBackgroundThread>. For testing used https://expired.badssl.com/ and https://self-signed.badssl.com/

xiangshun110 commented 10 months ago

@itlancer hi brother,I have a question for you. The SDK version I'm using is 50.2.3.1 the code looks like this: loader = new URLLoader(); loader.addEventListener("certificateError", certificateError); But I didn't get a certificateError callback event。 Is it used like this? thanks

ajwfrost commented 10 months ago

@xiangshun110 that's how it should be used yes; you'd only see that callback if we find the remote server is using a self-signed certificate though. You can test this with https://self-signed.badssl.com/ Other certificate failures aren't (yet?) being handled in this manner ..

thanks

itlancer commented 9 months ago

@ajwfrost Thanks for new SecurityErrorEvent.CERTIFICATE_ERROR event. Only issue I found for now - it just still doesn't work with StageWebView.

itlancer commented 3 months ago

StageWebView still not support SecurityErrorEvent.CERTIFICATE_ERROR events with AIR 51.1.1.2.

itlancer commented 2 months ago

@ajwfrost SecurityErrorEvent.CERTIFICATE_ERROR supported by URLLoader and URLStream.

But it doesn't work with Loader. Tested with latest AIR 51.1.1.5. Here is sample:

package {
    import flash.display.Sprite;
    import flash.net.URLRequest;
    import flash.display.Loader;
    import flash.events.Event;
    import flash.events.IOErrorEvent;
    import flash.events.SecurityErrorEvent;

    public class LoaderCertificateError extends Sprite {
        private var loader:Loader = new Loader();

        public function LoaderCertificateError() {
            const urlRequest:URLRequest = new URLRequest("https://1000-sans.badssl.com/icons/favicon-green.ico");
            loader.contentLoaderInfo.addEventListener(SecurityErrorEvent.CERTIFICATE_ERROR, certificateError);
            loader.contentLoaderInfo.addEventListener(Event.COMPLETE, complete);
            loader.contentLoaderInfo.addEventListener(IOErrorEvent.IO_ERROR, error);
            loader.load(urlRequest);
        }

        private function certificateError(e:SecurityErrorEvent):void {
            trace("certificateError", e.errorID, e.text);
        }

        private function complete(e:Event):void {
            trace("complete", e.target.data);
        }

        private function error(e:IOErrorEvent):void {
            trace("error");
        }
    }
}

Also it doens't work for StageWebView.

itlancer commented 2 months ago

@ajwfrost Also it doesn't work with sendToURL(): sendToURL(new URLRequest("https://self-signed.badssl.com/")); We need some way to suppress certificate errors for sendToURL() too. May be some new parameter for this method.

itlancer commented 1 month ago

@ajwfrost Also SecurityErrorEvent.CERTIFICATE_ERROR doesn't work with Linux. Event not dispatches at all. Here is sample:

package {
    import flash.display.Sprite;
    import flash.net.URLLoader;
    import flash.net.URLRequest;
    import flash.events.SecurityErrorEvent;
    import flash.events.Event;
    import flash.events.IOErrorEvent;

    public class URLLoaderCloseError extends Sprite {
        private var urlLoader:URLLoader = new URLLoader();

        public function URLLoaderCloseError() {
            const urlRequest:URLRequest = new URLRequest("https://self-signed.badssl.com/");
            urlLoader.addEventListener(SecurityErrorEvent.CERTIFICATE_ERROR, certificateError);
            urlLoader.addEventListener(Event.COMPLETE, complete);
            urlLoader.addEventListener(IOErrorEvent.IO_ERROR, error);
            urlLoader.load(urlRequest);
        }

        private function certificateError(e:SecurityErrorEvent):void {
            trace("certificateError", e.errorID, e.text);
        }

        private function complete(e:Event):void {
            trace("complete");
        }

        private function error(e:IOErrorEvent):void {
            trace("error");
        }
    }
}
itlancer commented 1 month ago

@ajwfrost Also SecurityErrorEvent.CERTIFICATE_ERROR doesn't work for NetStream/NetConnection video playback (I think audio too). Just try to change date to incorrect (year 2007 for example) in OS and try to playback MP4 H.264 video via URL.

ajwfrost commented 1 month ago

To summarise the situation here: we still need to fix support for:

On the Loader object, we just found a place where that needed to be hooked up internally, and then the event is sent out. Will take a look at the others too..

thanks

itlancer commented 1 month ago

@ajwfrost, exactly. For navigateToURL() I think it's not relevant cause it just open provided URL via system default browser. So it's not related to AIR.

itlancer commented 2 weeks ago

@ajwfrost, with latest AIR 51.1.2.2 it works fine with Loader and for Linux. Thanks! Still need to be implemented for:

Also need to be documented: https://github.com/airsdk/Adobe-Runtime-Support/issues/3567 https://github.com/airsdk/Adobe-Runtime-Support/issues/3566 https://github.com/airsdk/Adobe-Runtime-Support/issues/3565

itlancer commented 1 week ago

@ajwfrost, also should be implemented for Sound. So the full remaining list: