Closed dinccey closed 3 months ago
dreautall
commented
1 year ago For the custom certificate, you need to paste the actual client certification, not the CA one (of course if the client certificate rotates frequently, that's annoying). If that doesn't work please let me know!
Nonetheless, the request is valid and I'll have to check how to make flutter do it!
dreautall
commented
1 year ago Looks like this is currently not properly supported by dart itself, see https://github.com/dart-lang/sdk/issues/50435
For now I hesitate to use https://pub.dev/packages/cronet_http_embedded due to the experimental status. Hope it will get properly integrated into dart/flutter soon.
modarken
commented
7 months ago Hello, I tried to enter my PEM multiple ways. My setup is 1. Root CA 2. Intermediate CA and 3. Endpoint Certificate for my firefly webserver. (traefik). It's not clear to me what to insert as the certificate on the android app. Is it the public key of the (3. Endpoint Certificate)? I tried chaining the PEM certs together (1. 2. and 3.)
On a side note. It would be nice to be able to set the certificate (private+public key) for the android app waterfly. This is so that the server would check the cert and verify the client is an authorized device. I don't want to allow any connections to my server that aren't authorized with my cert. Traefik web proxy allows for client authentication.
dreautall
commented
7 months ago Hi, you need to use the actual server certificate.
Using a client certificate has been requested in #75. Please note that those tickets don't have the highest priority for me (though I'm always happy if someone wants to help out!) as even the Firefly dev mentioned multiple times that the API endpoint (/api/) doesn't need to be protected - you can't do anything without API key there.
dreautall
commented
4 months ago I implemented this feature by using the cronet http library in v1.0.3, but forgot a crucial setting to actually allow user CA certificates. I could reimplement this feature now properly for the next version.
However, I also now found a post by the Author of the cronet implementation in dart that custom SSL certificates will never work.
So now it can be either or - allow custom server certificates to be pasted in the app (like right now), or you need to upload it into the android system. As far as I understood it, only CA certificates can be uploaded into the android certificate storage (whereas right now you need to paste the server certificate), and not sure if everyone using custom certificates would know how to do that.
Any opinions here? Any good guide I could point users to when they are asking? I guess it depends a ton on their individual setup of reverse proxy etc..
j1mbl3s
commented
4 months ago @dreautall I think that using the local trust store with a vetted verification process is ideal. It more closely follows best practices for a custom PKI - or any PKI in general. I don't think that handling the intricacies of SSL should be Waterfly III's problem to solve.
In regards to guides for installing a CA on the device, it kind of depends on the OS/UI that is installed for each device. There's not really a "one size fits all" guide to it and it's more of a "RTFM" situation.
Generally, the advice is to first download the root CA certificate (or the self-signed server certificate) as a .pem file, then either:
Security and privacy > More security settings > Credential storage > Install from device storage. Proceed through the dialogs to install it as a CA.dreautall
commented
4 months ago Thank you for the feedback (and testing out the PR), I tend to agree with you. Pasting the server certificate (which, even when self generated, should ideally rotate at least semi-frequently) is kind of an ugly workaround.
Hi, I have a firefly instance accessible on my home network or via VPN and I use my own CA for https. Currently I can paste the pem of my CA as the custom certificate but it still fails to connect citing a certificate error.
Other apps (such as Bitwarden) use the system-wide user installed certificate and it would be very helpful if this app did the same thing.
Thanks.