search

ktorio / ktor

Framework for quickly creating connected applications in Kotlin with minimal effort
https://ktor.io
Apache License 2.0
12.79k stars 1.04k forks source link

Ktor does not honor NSAppTransportSecurity in iOS #1671

Closed trondat closed 4 years ago

trondat commented 4 years ago

Using Ktor client version 1.3.1 on iOS 13.3

In iOS using Kotlin multiplaform , Ktor does not seem to respect the setting in info.plist regarding NSAppTransportSecurity. This results in Ktor throwing exception when trying to reach SSL site with selfsigned certificate.

To Reproduce Client code : 

internal suspend inline fun  performHttp(url : String) :String
    {
        // URL is a self signed HTTPS: request
        val client = HttpClient(Ios) {

            }
        val response = client.get<String>(url)
        println(response)
        return response
    }

info.plist file

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/>
        <key>NSExceptionDomains</key>
        <dict>
            <key>mydomain.com</key>
            <dict>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSIncludesSubdomains</key>
                <true/>
            </dict>
        </dict>
    </dict>

With a call to performHttp("https://www.mydomain.com") results in : 

2020-02-24 13:53:26.325809+0100 ND Mobile[305:28598] TIC SSL Trust Error [42:0x280afdec0]: 3:0
2020-02-24 13:53:26.355533+0100 ND Mobile[305:28598] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9807)
2020-02-24 13:53:26.355624+0100 ND Mobile[305:28598] Task <D668563E-AD5B-466F-B69B-03A5047ABA96>.<1> HTTP load failed (error code: -1202 [3:-9807])
2020-02-24 13:53:26.357030+0100 ND Mobile[305:28598] Task <D668563E-AD5B-466F-B69B-03A5047ABA96>.<1> finished with error - code: -1202
2020-02-24 13:53:26.359827+0100 ND Mobile[305:28292] Task <D668563E-AD5B-466F-B69B-03A5047ABA96>.<1> load failed with error Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “www.mydomain.com” which could put your confidential information at risk."

Expected behavior With the settings in the info.plist file the Ktor client should ignore the non trusted SSL cert.

danailalexiev commented 4 years ago

Any suggestions for a workaround for self-signed certificate handling on iOS?

trondat commented 4 years ago

The workaround so far was to export the internal root CA as a pem file , and email it to my iPhone ,install it and trust it (medium.com/collaborne-engineering/…). This is only good for development, it´s not practical for production.

danailalexiev commented 4 years ago

I was thinking about creating a custom HttpClientEngine implementation that is basically a copy of the existing one and adding the challenge logic to the delegate.

Not sure if it's going to work through.

On Wed, Feb 26, 2020, 9:06 AM trondat notifications@github.com wrote:

The workaround so far was to export the internal root CA as a pem file , and email it to my iPhone ,install it and trust it ( medium.com/collaborne-engineering/…). This is only good for development, it´s not practical for production.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ktorio/ktor/issues/1671?email_source=notifications&email_token=AIOOVDCQLILAD23Z4AWS33TREYIGXA5CNFSM4K2HWWTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEM7B2EQ#issuecomment-591273234, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIOOVDGI47XNC2ULKEPGYDLREYIGXANCNFSM4K2HWWTA .

e5l commented 4 years ago

Hi @trondat, the custom certificates can be handled with handleChallenge in IosClientEngineConfig in 1.3.2