search

airsdk / Adobe-Runtime-Support

Report, track and discuss issues in Adobe AIR. Monitored by Adobe - and HARMAN - and maintained by the AIR community.
200 stars 11 forks source link

[Feature Request] Ability to suppress network security popups about invalid certificates #1453

Open itlancer opened 2 years ago

itlancer commented 2 years ago

Feature Description

AIR should have ability to suppress network security popups about invalid certificates programmatically. Right now if something goes wrong with HTTPS SSL certificate checks using URLLoader/URLStream/Loader/StageWebView/Socket/SecureSocket/NetConnection- application (OS) just show network security error/popup like these: image image

Such popups cause application "hanging" (sometimes crash) until user choose something. Moreover, for some retail kiosk there could be no user and application just stop working. That why we need a way to programmatically control it: 1) By default it should works as is. Let user decide what to do. 2) If such network security issue happens - some event should be fired and via AS3 logic we can get all necessary information about it (including certificate information), make some additional checks to decide “block” or “allow” connection via some SecurityEvent::preventDefault() or something like that. In such case there shouldn't be any popups. And application could programmatically allow/block it and show custom visual notification without hanging/crashing.

There are a lot of different reasons of this issue:

You can use https://badssl.com/ to test it.

This feature need for all platforms. May be only iOS have some restrictions about that.

Related links: https://stackoverflow.com/questions/4072377/how-can-i-bypass-or-detect-ssl-certificate-before-the-message-is-shown-in-adobe https://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/security/CertificateStatus.html

Known Workarounds

none

2jfw commented 2 years ago

Though this is not the answer to your request, I am pretty sure that you cannot simply suppress these notifications per default as they are coming directly from Windows itself ("Adobe uses the underlying OS certificate store", https://stackoverflow.com/questions/2187758/ssl-client-side-certificate-authentication-in-adobe-air). We are also encountering this and need to work with own trusted root certificates generated for specfic domains/hosts.

Harman would likely have to come up with a custom solution (certificate store) for this - sounds complicated but maybe I'm wrong, so please take my words with a grain of salt on this.

EDIT: In the link there is a work-around described. Maybe this helps...

al-sabr commented 2 years ago

This might maybe connected to this thread : #1439

al-sabr commented 2 years ago

Actually there's a hack for this problem. One might use the Windows handling capabilities of the Win32 API to always check if the specific window if showing and if yes then get the handle of the button to press and once the handle is acquired you can internally trigger the button with a virtual click and the Window will disappear.

I think each OS have their own handling API the task is to find them.

I hope this help

Windows : https://www.google.com/url?sa=t&source=web&rct=j&url=https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindow&ved=2ahUKEwi82Ongx9n2AhUP-aQKHeKJDm8QFnoECAwQAQ&usg=AOvVaw0-q9u2fhsycES_juGALyNV

itlancer commented 1 year ago

@ajwfrost Just check new certificateError event with Windows devices and URLLoader using latest AIR 50.2.3.1. It works as expected, thank you! Now we can suppress network security errors popups. What I would like to see in future versions: 1) New event as a proper class. 2) Get information about certificate and reason of error to "make a decision" about preventing or allowing request.

Also I will try to check the same using URLStream/Loader/StageWebView/Socket/SecureSocket/NetConnection and other platforms.

itlancer commented 1 year ago

@ajwfrost certificateError event doesn't fired with StageWebView. Tested with Windows devices using <UseWebView2>true</UseWebView2>. Also tested with Android devices without <runtimeInBackgroundThread>true</runtimeInBackgroundThread>. For testing used https://expired.badssl.com/ and https://self-signed.badssl.com/

xiangshun110 commented 8 months ago

@itlancer hi brother,I have a question for you. The SDK version I'm using is 50.2.3.1 the code looks like this: loader = new URLLoader(); loader.addEventListener("certificateError", certificateError); But I didn't get a certificateError callback event。 Is it used like this? thanks

ajwfrost commented 8 months ago

@xiangshun110 that's how it should be used yes; you'd only see that callback if we find the remote server is using a self-signed certificate though. You can test this with https://self-signed.badssl.com/ Other certificate failures aren't (yet?) being handled in this manner ..

thanks

itlancer commented 6 months ago

@ajwfrost Thanks for new SecurityErrorEvent.CERTIFICATE_ERROR event. Only issue I found for now - it just still doesn't work with StageWebView.

itlancer commented 1 month ago

StageWebView still not support SecurityErrorEvent.CERTIFICATE_ERROR events with AIR 51.1.1.2.