Can't connect using self-signed certificate about paperless_app HOT 14 CLOSED

Hey,

apparently this is an issue with the Dart HTTP client: flutter/flutter#41781

As a workaround I could implement a popup asking the user if they want to trust that certificate in the future.

from paperless_app.

Hello,

I just started working on this issue and I have a question: Did you create your own CA and used that to create your server certificate? Should the CA certificate be saved by the app or rather the server certificate as a trust anchor?

from paperless_app.

I created my own CA for things on my local network, and made individual certificates for each device on it, all signed by the CA.

I've installed the CA cert on my phone via the Settings menu. If you want my opinion, you should use the certs from there; there's already a centralized store for certs so you might as well use it. Storing the cert in the app works but is annoying to do for every app.

from paperless_app.

Thanks for your explaination. This seems like a well thought-out setup.

If you want my opinion, you should use the certs from there; there's already a centralized store for certs so you might as well use it. Storing the cert in the app works but is annoying to do for every app.

Yes, I agree. It's also annoying to implement since it's such a basic thing. And it just seems wrong to "reinvent" such security fundamentals myself. I'm not sure why it doesn't work out-of-the-box. The docs say it should, while the issue linked above (and your account) suggests it doesn't.

Maybe it can be fixed so that the OS trust store can be used but I would have to set up a testing environment for that kind of setup first to debug this.

from paperless_app.

I have the same issue, private CA authority, root ca installed in phone device and I'm getting the same error as the OP. any workaround for this?

from paperless_app.

Maybe I can help here. I don't have a private CA set up yet, although it's also on my radar.

In the meantime - I've added the network_security_config recommended for these system certs in this branch. Would either of you be willing to try this build and let us know if it fixes the issue?

app-armeabi-v7a-release.zip

Otherwise I'm willing to test myself but can't promise any timeframe.

from paperless_app.

Maybe I can help here. I don't have a private CA set up yet, although it's also on my radar.

In the meantime - I've added the network_security_config recommended for these system certs in this branch. Would either of you be willing to try this build and let us know if it fixes the issue?

app-armeabi-v7a-release.zip

Otherwise I'm willing to test myself but can't promise any timeframe.

I just tested it out, didn't work.

Screenshot:

from paperless_app.

Thanks, @abunasar. That's too bad, but it was worth a try...

I'll revisit this when I have the time. If you happen to poke around and solve it, please file a PR 😃

from paperless_app.

Okay I've given it my best shot, but it looks like there's no way to easily do this right.

Currently Dart handles the underlying http client requests. I have found no way to get it to trust the system CA store on Android. Some answers suggest using the CA's fullchain in the web server's / proxy's configuration [1] [2]. I have not verified this as I truly don't care to set it up beyond what I've done already, and is outside the scope of this app anyway.

Alternatively what I've pushed to this dev branch works with my self-signed CA, but it just blindly accepts all bad certificates. This is not ideal and IMO should not be a part of the main build. It would undermine the security of certs signed by legitimate CA's. I'll attach this working dev build for anyone who wants despite the warning.

The last option I've seen is to manually include your root CA certificate in assets/ and pubspec, then set up Dio to compare bad certificates to that fingerprint. This requires building paperless_app yourself of course, but is the most complete and secure solution.

None of the above are great solutions. But as of writing it looks like a oversight of dart-lang rather than something Dio, flutter, or this app can fix. I'll happily revisit if it's improved far upstream.

I welcome anyone else to take a crack at fixing this, it looks like you'd be helping dozens of devs at this point.

Trust ALL handshake failures build:
app-armeabi-v7a-release.zip

from paperless_app.

Just a side note, it also doesn't work with letsencrypt
and sectigo positivessl certs lol

from paperless_app.

I can not confirm this. Let's encrypt works fine here. Can you email me the URL of your server (or post it here if you don't mind)?

from paperless_app.

Sorry, by

It would undermine the security of certs signed by legitimate CA's

I guess I meant certificates dart already considers valid on Android.

from paperless_app.

EDIT: I just re-read your above posts and found that it looks like you tried this, sorry!

@bauerj @qcasey Sorry to necro this, but I think this may have something to do with a change that was introduced in Android 7 whereby apps have to opt-in to accepting User CA Certs:

https://textslashplain.com/2016/07/27/using-fiddler-with-ios-10-and-android-7/
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

I don't have an Android device with 6 or older to test with, so I can't confirm, but I can see that there doesn't appear to be a network-security-config file in the source tree, leading me to believe that it doesn't look like this app is opting in.

https://flutter.dev/docs/release/breaking-changes/network-policy-ios-android

Is this something that can be quickly tested? I'm by no means an Android or Flutter expert / dev but this would be much appreciated if it is this easy!

from paperless_app.

Hey 👋

Indeed, it seems like @qcasey already tried that to no avail 😕

I'm sorry that we still can't offer a solution to this but it looks like it's up to the Flutter developers to solve.

from paperless_app.