Comments (14)
Hey,
apparently this is an issue with the Dart HTTP client: flutter/flutter#41781
As a workaround I could implement a popup asking the user if they want to trust that certificate in the future.
from paperless_app.
Hello,
I just started working on this issue and I have a question: Did you create your own CA and used that to create your server certificate? Should the CA certificate be saved by the app or rather the server certificate as a trust anchor?
from paperless_app.
I created my own CA for things on my local network, and made individual certificates for each device on it, all signed by the CA.
I've installed the CA cert on my phone via the Settings menu. If you want my opinion, you should use the certs from there; there's already a centralized store for certs so you might as well use it. Storing the cert in the app works but is annoying to do for every app.
from paperless_app.
Thanks for your explaination. This seems like a well thought-out setup.
If you want my opinion, you should use the certs from there; there's already a centralized store for certs so you might as well use it. Storing the cert in the app works but is annoying to do for every app.
Yes, I agree. It's also annoying to implement since it's such a basic thing. And it just seems wrong to "reinvent" such security fundamentals myself. I'm not sure why it doesn't work out-of-the-box. The docs say it should, while the issue linked above (and your account) suggests it doesn't.
Maybe it can be fixed so that the OS trust store can be used but I would have to set up a testing environment for that kind of setup first to debug this.
from paperless_app.
I have the same issue, private CA authority, root ca installed in phone device and I'm getting the same error as the OP. any workaround for this?
from paperless_app.
Maybe I can help here. I don't have a private CA set up yet, although it's also on my radar.
In the meantime - I've added the network_security_config
recommended for these system certs in this branch. Would either of you be willing to try this build and let us know if it fixes the issue?
Otherwise I'm willing to test myself but can't promise any timeframe.
from paperless_app.
Maybe I can help here. I don't have a private CA set up yet, although it's also on my radar.
In the meantime - I've added the
network_security_config
recommended for these system certs in this branch. Would either of you be willing to try this build and let us know if it fixes the issue?Otherwise I'm willing to test myself but can't promise any timeframe.
I just tested it out, didn't work.
from paperless_app.
Thanks, @abunasar. That's too bad, but it was worth a try...
I'll revisit this when I have the time. If you happen to poke around and solve it, please file a PR π
from paperless_app.
Okay I've given it my best shot, but it looks like there's no way to easily do this right.
Currently Dart handles the underlying http client requests. I have found no way to get it to trust the system CA store on Android. Some answers suggest using the CA's fullchain in the web server's / proxy's configuration [1] [2]. I have not verified this as I truly don't care to set it up beyond what I've done already, and is outside the scope of this app anyway.
Alternatively what I've pushed to this dev branch works with my self-signed CA, but it just blindly accepts all bad certificates. This is not ideal and IMO should not be a part of the main build. It would undermine the security of certs signed by legitimate CA's. I'll attach this working dev build for anyone who wants despite the warning.
The last option I've seen is to manually include your root CA certificate in assets/ and pubspec, then set up Dio to compare bad certificates to that fingerprint. This requires building paperless_app yourself of course, but is the most complete and secure solution.
None of the above are great solutions. But as of writing it looks like a oversight of dart-lang rather than something Dio, flutter, or this app can fix. I'll happily revisit if it's improved far upstream.
I welcome anyone else to take a crack at fixing this, it looks like you'd be helping dozens of devs at this point.
Trust ALL handshake failures build:
app-armeabi-v7a-release.zip
from paperless_app.
Just a side note, it also doesn't work with letsencrypt
and sectigo positivessl certs lol
from paperless_app.
I can not confirm this. Let's encrypt works fine here. Can you email me the URL of your server (or post it here if you don't mind)?
from paperless_app.
Sorry, by
It would undermine the security of certs signed by legitimate CA's
I guess I meant certificates dart already considers valid on Android.
from paperless_app.
EDIT: I just re-read your above posts and found that it looks like you tried this, sorry!
@bauerj @qcasey Sorry to necro this, but I think this may have something to do with a change that was introduced in Android 7 whereby apps have to opt-in to accepting User CA Certs:
https://textslashplain.com/2016/07/27/using-fiddler-with-ios-10-and-android-7/
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
I don't have an Android device with 6 or older to test with, so I can't confirm, but I can see that there doesn't appear to be a network-security-config file in the source tree, leading me to believe that it doesn't look like this app is opting in.
https://flutter.dev/docs/release/breaking-changes/network-policy-ios-android
Is this something that can be quickly tested? I'm by no means an Android or Flutter expert / dev but this would be much appreciated if it is this easy!
from paperless_app.
Hey π
Indeed, it seems like @qcasey already tried that to no avail π
I'm sorry that we still can't offer a solution to this but it looks like it's up to the Flutter developers to solve.
from paperless_app.
Related Issues (20)
- [iOS] ADD files from Files.app HOT 1
- IOS App Bug On Initial Connection HOT 6
- support for SECOND frontend http auth login HOT 1
- iOS upload not working HOT 1
- WRONG_VERSION_NUMBER HOT 1
- Wrong language in dates
- App shows wrong "create date"
- other paperless app, merge?
- It used to work but not anymore
- Meaningfull download filename ( config option ? ) instead of Document ID.
- βError while connecting to serverβ with -ngx HOT 1
- No login to the server possible HOT 2
- Login not possible anymore HOT 1
- Feature request: support multiple paperless instances
- Add custom header (ie: X-Api-Key) to all requests
- mTLS Client Authentication to reverse proxy
- New Correspondent, Document Type, or Tag just shows Gray Screen when within a document HOT 1
- support backup with Seedvault
- Android 13 (SDK 33) not supported
- Editing documents with paperless-ngx 2.0 fails HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from paperless_app.