Support User CAs on Android

go-vikunja / app

MIT License

269 stars 23 forks source link

Support User CAs on Android #66

Closed denysvitali closed 6 months ago

denysvitali commented 7 months ago

For some reason Vikunja doesn't use the system trust store on Android - or at least it doesn't care about the user-provided CAs.

This results in an handshake failure.

I have tried to add a network_security_config file, but this approach doesn't seem to work.

Benimautner commented 7 months ago

There is an option in the settings called "Ignore certificates" which should help you do what you want to. I've looked into this in the past and remember not being able to check against the system CA store for some reason.

denysvitali commented 7 months ago

Yes, the option "Ignore certificates" works - but it's the wrong solution. I still want to check my certificate, ignoring it makes the communication vulnerable to MITM attack - at this point one could just use plain HTTP, which also saves on the encryption overhead.

Benimautner commented 7 months ago

Yes I know and it's on the roadmap, but the app is in beta and this is a quick but dirty solution to the problem.

You're welcome to submit a PR.

denysvitali commented 7 months ago

It looks like this is the issue: https://github.com/dart-lang/sdk/issues/50435

Basically, the SDK doesn't follow the system trust store.

The "fix" is to use another HTTP client (platform-specific) that respects the system CAs:

  http.Client get httpClient {
    if (Platform.isAndroid) {
      final engine = cronet_http.CronetEngine.build(
          cacheMode: cronet_http.CacheMode.memory, cacheMaxSize: 1000000);
      return cronet_http.CronetClient.fromCronetEngine(engine);
    }
    if (Platform.isIOS || Platform.isMacOS) {
      final config =
          cupertino_http.URLSessionConfiguration.ephemeralSessionConfiguration()
            ..cache =
                cupertino_http.URLCache.withCapacity(memoryCapacity: 1000000);
      return cupertino_http.CupertinoClient.fromSessionConfiguration(config);
    }
    return io_client.IOClient();
  }

Benimautner commented 7 months ago

I'm sorry for not getting back to you sooner, I've been super busy at work and other projects! Yep, that looks like a good solution. I'll try it out and let you know. We've had a bunch of changes of the http client due to that exact reason, but I'm happy to switch once again if this fixes it.