search

hyperium / hyper-tls

Apache License 2.0
189 stars 96 forks source link

hyper-tls in Android #12

Closed astonbitecode closed 6 years ago

astonbitecode commented 6 years ago

Hi,

I have issues when using hyper-tls in Android, getting certificate verify failed errors:

_Error("Io(Error { repr: Custom(Custom { kind: Other, error: Ssl(ErrorStack([Error { code: 336134278, library: \"SSL routines\", function: \"ssl3_get_server_certificate\", reason: \"certificate verify failed\", file: \"s3clnt.c\", line: 1269 }])) }) })"))

Searching around I found these discussions but it seems that the PRs mentioned are not accepted and I cannot find some workaround...

So, I would like to ask, what is the proper way to use hyper_tls in Android?

astonbitecode commented 6 years ago

Maybe it is worth mentioning that even turning off the certificates validation via native_tls does not help...

Using the following code:

let mut tls_connector_builder = native_tls::TlsConnector::builder()?;
tls_connector_builder.builder_mut().builder_mut().set_verify(openssl::ssl::SSL_VERIFY_NONE);

let tls_connector = tls_connector_builder.build()?;
let mut ct = HttpsConnector::from((HttpsConnector::new(4, &handle)?, tls_connector));
ct.danger_disable_hostname_verification(true);
let client = Client::configure()
    .connector(ct)
    .build(&handle);

I still get: _"Io(Error { repr: Custom(Custom { kind: Other, error: Ssl(ErrorStack([Error { code: 336134278, library: \"SSL routines\", function: \"ssl3_get_server_certificate\", reason: \"certificate verify failed\", file: \"s3clnt.c\", line: 1269 }])) }) })"

From the one side the verification is off on the native_tls and somehow the validation is still taking place...

Isn't this strange? Am I making any wrong assumptions?

bchallenor commented 6 years ago

If you're using Termux (rather than writing a standalone app) you can use the openssl-probe crate to find the CA certificates. I haven't tried using it outside of Termux.

astonbitecode commented 6 years ago

I am not using Termux unfortunately... I am building an app that calls a rust native library which has the openssl statically linked. I have manually tried to load the Certificates located under /system/etc/security/cacerts and /data/misc/keychain/cacerts-added with no luck.

I actually even tried to load and use a self-signed DER and the results were the same... This works in a Linux environment but not in Android...

bchallenor commented 6 years ago

Ah right, yes, the advantage of Termux is that it ships its own PEM file. There is a PR against native-tls to read the Android system certs but I'm not sure why it wasn't merged.

astonbitecode commented 6 years ago

So I guess this is the way to go. At least this is the only thing that worked for me:

Having a pem file included with my app, plus setting the env var SSL_CERT_FILE with the path of that file. The openssl takes care of the rest...

A bit hacky but works.

Thanks @bchallenor for taking the time to respond.