[BUG] Untrusted/self-signed certificate is ignored

[eliasp]

Before submitting a bug report

• [x] I have looked through existing issues and found no similar issue that is either open or has already been fixed
• [x] I have read the troubleshooting section in the repository's README
• [x] I have tried to re-install the app, and the issue still occurs. The app is still subject to breaking changes, requiring a fresh installation or at least clearing app data after updating.

Describe the bug When using an untrusted/self-signed certificate on the webserver hosting paperless-ngx, the app ignores this. This renders TLS ineffective, since this means anyone could intercept the connection and redirect it to another host with a fake certificate.

To Reproduce Steps to reproduce the behavior:

1. Configure webserver to use an untrusted/self-signed certificate
2. Enter paperless-ngx URL on first App startup
3. Tap on "Test connection"
4. Message "Connection successfully established" is shown

Expected behavior

• A message, warning the user about the untrusted certificate and the option to either trust the certificate (after showing at least some basic information like the fingerprint, SAN, creation/expiration date) or go back to change the URL
• To apply this behavior not only to the initial setup, but to also warn in case the certificate during any communication with paperless-ngx is untrusted (e.g. due to server-side updates).

Screenshots

Device Information:

• Device: OnePlus Nord
• OS: Android 11
• Paperless Mobile version: 2.3.9+44 (Google Play)
• Paperless Server version: 1.16.5

Additional context I also went through the commits between the release I'm using (2.3.9) and development - there was one related to error handling, but it seems this one doesn't address this issue.

From what I can tell (with zero Dart knowledge) is, that the current TLS error handling only addresses issues with the client certificate.

[astubenbord]

Hi Elias, thanks for reporting. You are correct, SSL errors are currently simply ignored. This decision had to do with client certificates, but I'm sure this will be improved in the future. However, there are currently more important bugs, so this unfortunately might have to wait until the app itself is in a more stable state (which I am currently working on).

[Enrico204]

I consider this issue very important, so I am willing to try (no guarantees!) to send a pull request to fix it (in few weeks), if it is ok with you @astubenbord

[astubenbord]

Sure, I can point you to some locations in code.

[Enrico204]

Sure, I can point you to some locations in code.

I think I found the point where the check is done: https://github.com/astubenbord/paperless-mobile/blob/162d50bf706bc13d929f4ba45f98a8b9bf84e656/lib/core/security/session_manager.dart#L36

The idea is to check there the validity against a list of allowed certificates (by using the certificate fingerprint). Ideally, a certificate is added to the list by the user explicitly. To simplify, I'd say that, when the certificate is not valid, the app should ask the user if they want to trust the certificate anyway.

What do you think?

[astubenbord]

Sounds good to me. Do you want to work on this or do you want me to have a look?

[Enrico204]

I will try :-)

[Enrico204]

I started working on something, but... life happens, and I won't be able to spare much time in the next few weeks. If you need to implement this quickly, feel free to take over. I will check the issue as soon as I have the free time again :-)

[astubenbord]

No worries, I know how it is ;) If I find the time, I'll have a look.