I've installed this plugin but when testing it, it always goes to the successCallback. I'm deliberately intercepting the calls using a proxy on the phone to a PC with Fiddler. I'm even adding a timestamp to the URL so make sure it's unique and not cached somehow.

When I check the fingerprint, it gives the Fiddler certificate's one, which does not equal my expected fingerprints.

I'm using Cordova CLI 6.5.0, this plugin version 5.1.0, (Ionic) app on IOS 10

Maybe its related to Issue #43?

Hi,

I've tested a number of domain and fingerprint combinations and the only one that seems to work is the demo url https://build.phonegap.com.

window.plugins.sslCertificateChecker.check(function(m) {console.log(m);}, function(m) {console.log(m);}, "https://build.phonegap.com", "2B 24 1B E0 D0 8C A6 41 68 C2 BB E3 60 0A DF 55 1A FC A8 45");

Others I have tested:

https://github.com
window.plugins.sslCertificateChecker.check(function(m) {console.log(m);}, function(m) {console.log(m);}, "https://github.com", "‎A0 C4 A7 46 00 ED A7 2D C0 BE CB 9A 8C B6 07 CA 58 EE 74 5E");

https://www.google.co.nz
window.plugins.sslCertificateChecker.check(function(m) {console.log(m);}, function(m) {console.log(m);}, "https://www.google.co.nz", "‎77 FF 51 51 BB 5F B7 16 24 53 A7 C5 5B 54 E0 AD 7F 7E 5F 66");

https://www.grc.com
window.plugins.sslCertificateChecker.check(function(m) {console.log(m);}, function(m) {console.log(m);}, "https://www.grc.com", "12 91 D8 D9 E4 9F 14 AB DE E3 D5 9C 42 F6 AF 61 FE F4 0E 05 D7 CC 4B 43 A0 D0 ED F7 32 B7 1B EA");

They all return "CONNECTION_NOT_SECURE" on both Android (Samsung S6 5.1.1) and iOS (iPad 9.2.1).

The test application was created in phoneGapBuild first using cli 5.2.0 and then 3.7.0. Using version 5.0.0 of the plugin, source npm.

Any help greatly appreciated.
Steve.

Plugin version 6.0.0 & Devices are not asus ZENFONE

RESULT always return CONNECTION_NOT_SECURE

*** Found Problem when FingerPrint is self-sign certificate

any one had problem like me ?

I use phonegap build 2.9 and your sample code

Usage
https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin

but in mobile，when I execute it，it always alert wrong message
"CONNECTION_FAILED"
I am very sure that the js file is completly loaded and my 3G or Wifi network is very well

Context / Challenge

CAs are required to replace misissued TLS certificates (e.g. organization name exceeding 64 characters, short serial number, etc) in less than 5 days. Replacing a certificate usually means the CA to reissue the certificate with the same subject public key and corrected fields and revoke the previous certificate.

In this period, sysadmins have to replace the old certificate by the new one (no need to generate new key pairs and/or CSR as the public key is the same).

If an app is doing certificate pinning, it has also to be updated with the new certificate (the certificate and respective certificate fingerprint is different). Depending on the app store program and the test complexity, the release cycle may take over 1 week and the roll out to end users is a gradual and slow process.

Therefore, this 5-days window is nearly impossible to meet without significant outages if doing certificate pinning.

Solution
In order to avoid the need for new app releases whenever a TLS certificate is replaced, this library should also support public key pinning.

Instead of pinning the certificate fingerprint, one would pin the fingerprint of the Subject Public Key Info (SPKI). The SPKI is the binary structure (DER encoded) of the public key and is present in several files: PKCS#8 key file, CSR and certificate.

Here follows the OpenSSL commands to obtain the fingerprint:

# Get public key fingerprint from a PKCS#8 file with the key pair
openssl rsa -in mytls.key -passin pass:myStr0ngP@s§w0rd -pubout -outform DER | openssl dgst -sha256

# Get public key fingerprint from the CSR (PEM format)
openssl req -in mytls.csr -pubkey -noout | openssl rsa -pubin -outform DER | openssl dgst -sha256

# Get public key fingerprint from the certificate (PEM format)
openssl x509 -in mytls.cer -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256

Further references

• Why public key hashes, not certificate hashes?
• OWASP Pinning Cheat Sheet
• RFC 7469 §2.4 Semantics of Pins

Since i've updated my plugin to 6.0.0 version, i always get CONNECTION_NOT_SECURE. Hope you check and resolve this issue :)

Hi,

I have problem similar to #21 on iOS9. When I make a loop for testing a bad fingerprint, 1st time it returns "CONNEXION_NOT_SECURE" (what I want), the next times "CONNEXION_SECURE" (why ?). Have you an idea where is the problem ?

Thanks,
Romain

Just tried this plugin with iOS10 beta with Xcode 8 beta and get the following error:

[] nw_coretls_read_one_record tls_handshake_process: [-9801]
[443:43552] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

This plugin worked fine with iOS9, stopped working with iOS10 beta. Not sure why.

Will debug and post an update. Thanks

Firstly, thanks for the work on the plugin!

Am using Phonegap Build and having an issue with the PhoneGap SSL Certificate Checker plugin on iOS8. It only seems to fire once.

For example, I have a login and it successfully does the fingerprint check and returns a connection secure, works as expected. If I log out and try to log in again, the plugin does not work and it just cycles then get a 'CONNECTION_FAILED. Details: The request timed out.'

If i close the app and re-login it works once again. Is there a way I can reload/initialize the plugin?

I have also just downloaded X-Services-PhoneGap-Build-Plugins-Demo and it seems the behaviour is replicated.

Using PhoneGap Build version 3.5

Hello,
I am successfully using private static String getFingerprint() to verify if cerficaite is valid not not.

Additionally what is want is to verify if the certificate is trusted or not.

Is there any way to do this ?

How can I use this plugin. There is a way to use it without window.plugins since it is deprecated? Thanks

I note in the Android implementation that the connection has a setTimeout of 5 seconds (i.e. if a response is not received then a "CONNECTION_FAILED" is returned)
Is there an equivalent setting for iOS / Windows, or does it try indefinitely? If the value can be changed within the plugin code, are there any recommended ranges

It looks like the Java plugin only does SHA1 can this be expanded to do SHA-256

"You may want to check the connection when the app is started, but you can choose to invoke this plugin everytime you communicate with the server."

How would I use this the second way? I'd rather not have to make extra HTTP calls just to check the certs. Is there a way to have it automatically check them whenever it tries to make a connection?

Hi, I am looking for something like this for a project I'm working one. However, for my use-case, I'm concerned about targeted attacks, which could potentially be successful against this solution. I.e. the attacker could wait until the server is validated before adding the MITM server, circumventing the security check.

Any plans to address this? Essentially, I just need a short server response string as part of the callback.

I obtain that error

** BUILD FAILED **


The following build commands failed:
    CompileC build/SingleID.build/Release-iphoneos/XXXXXX.build/Objects-normal/armv7/SSLCertificateChecker.o XXXXXX/Plugins/nl.x-services.plugins.sslcertificatechecker/SSLCertificateChecker.m normal armv7 objective-c com.apple.compilers.llvm.clang.1_0.compiler
(1 failure)

with this line:
<preference name="phonegap-version" value="cli-6.1.0" /

But with this is all ok on IOS
<preference name='phonegap-version' value='cli-5.2.0' />

On android is fine any phonegap version.

Is there a setting or parameter which we can pass to specify the connection timeout for the window.plugins.sslCertificateChecker.check call?

Hi, currently, the only message is "CONNECTION_SECURE" or "CONNECTION_NOT_SECURE". Functions for getting the certificate details like issuer, period of validity, fingerprints etc can be added.

even with the example URL, from the phonegap server I get the message > CONECTION_NOT_SECURE, i used the correct fingerprint from the phonegap server.

    $ionicPlatform.ready(function(){
        var server = "https://build.phonegap.com";
        var fingerprint = "C6 2D 93 39 C2 9F 82 8E 1E BE FD DC 2D 7B 7D 24 31 1A 59 E1 0B 4B C8 04 6E 21 F6 FA A2 37 11 45";

        window.plugins.sslCertificateChecker.check(successCallback,errorCallback,server,fingerprint);

         function successCallback(message) {
           alert(message);
         }

         function errorCallback(message) {
           alert(message);
           if (message === "CONNECTION_NOT_SECURE") {
             // There is likely a man in the middle attack going on, be careful!
           } else if (message.indexOf("CONNECTION_FAILED") >- 1) {
             // There was no connection (yet). Internet may be down. Try again (a few times) after a little timeout.
           }
         }
   })

i compiled on android device.
any suggestion? ?

Hi Eddy,

I am receiving this error after installing the plugin.

I am using AngularJS and Ionic for my application.

.run(function($ionicPlatform) {
  var server = "https://example.com";
  var fingerprint = "17 27 60 87 8B F5 5D 8D 1D 8E 15 D0 21 C4 57 AC F7 62 62 7A"; // valid until sep 2014

  $ionicPlatform.ready(function() {
    window.plugins.sslCertificateChecker.check(
          successCallback,
          errorCallback,
          server,
          fingerprint);
  });

   function successCallback(message) {
     alert(message);
     // Message is always: CONNECTION_SECURE.
     // Now do something with the trusted server.
   }

   function errorCallback(message) {
     alert(message);
     if (message == "CONNECTION_NOT_SECURE") {
       // There is likely a man in the middle attack going on, be careful!
     } else if (message == "CONNECTION_FAILED") {
       // There was no connection (yet). Internet may be down. Try again (a few times) after a little timeout.
     }
   }
})

Have you come across this problem before?

Even if it is possible to include 2 fingerprints in the call to check the certificate presented by a server, this requires that a renewed certificate is created in advance, its fingerprint is included in the code of the mobile application and that the mobile application is deployed to all users before the new certificate can be installed on the server. I find that this creates too many constraints.

I would suggest that the plugin is extended to be able to check for the fingerprint of any certificate in the certificate chain presented by the server. This would allow certificate pinning to the certificate of a specific issuing CA (usually with a longer validity period). As long as server certificates are issued by the same trusted CA, this could give a good enough level of security while reducing considerably the need to update mobile applications with updated certificate fingerprints.

I already have some code working for Android and iOS. The plugin could be extended with another method (checkInCertChain) while leaving the ability to check specifically for the server certificate (check).
Before creating a pull request for it, are there comments in favor or against it?

Hi,

I try to validate certificate using iis dev certificate (expecting error callback) and a expired certificate.
In Android it works fine, but on ios 8 the success callback is raised on every request.

• IOS 8.1
• Phonegap build

Some help?

Thanks.

NSURLConnection is caching even i disable the cache.

Created a fork and made changes and waiting for feedback. I am using NSURLSession instead of NSURLConnection.

https://github.com/crreddys/SSLCertificateChecker-PhoneGap-Plugin

@jacobweber @EddyVerbruggen can you guys take a look.

Hi,
When connecting to a server over SSL, the server's certificate needs to be checked on every single connection. This is always true, whether the check is the usual CA-based validation, or certificate pinning using the certificate's fingerprint; you can see that this how the native APIs on iOS and Android work.

This plugin's implementation however only provides a one-time check (by calling the check() function), which doesn't really add any security: someone trying to impersonate the server can let the connection for the initial cert pinning check go through to the real server, and then man-in-the-middle the subsequent connections which won't be checking the fingerprint again. Even if the App calls the check() function multiple times, the check will always apply to specific, fingerprint-checking SSL connections so the App's real SSL traffic will still be vulnerable.

All in all, this plugin does not really provide any additional security because if you want certificate pinning, the check needs to be performed for all connections. Let me know if that makes sense...

Hi,

I am getting the following error when using the plugin on Android :

CONNECTION_FAILED. Details: Permission denied (missing INTERNET permission?)

which is solved by adding the correct permission to AndroidManifest.xml :

<uses-permission android:name="android.permission.INTERNET" />

This should be done automatically when adding the plugin. I am creating a pull request for it.

I'm trying to integrate the plug-in in to my phonegap app. I followed all the steps. Its always giving me CONNECTION_NOT_SECURE message. Thinking that its an issue with our website, I tried other public websites. But I'm always getting CONNECTION_NOT_SECURE message. Any help would be highly appreciated.

I have included in the phonegap config.xml.

The following script in included in index.html

how to fix them?

If I run my app with valid sha1 fingerprint on android version 4.4.2 it still goes in the error call back. For android version above 4.4.2 it goes in success callback. Please assist.

var exec = require('cordova/exec');

how to fix them?

Hi ALL,

I got error window.plugins.sslCertificateChecker is undefined.please help me.

Thanks,

On second attempt to login, I get the error in the screenshot. Any idea how this can be resolved?

We have a phonegap app for iOS for which we are using this plugin. But the response from the plugin is coming after quite a lot of time. We are not sure on what changes needs to be done in the code. Please advise.

Hello,

Im executing the command (in ionic app):

 cordova plugin add cordova-plugin-sslcertificatechecker

But I keep getting the following error:

npm ERR! enoent ENOENT: no such file or directory, access '//node_modules/cordova-plugin-sslcertificatechecker'

npm ERR! enoent ENOENT: no such file or directory, access '//node_modules/cordova-plugin-sslcertificatechecker'
npm ERR! enoent This is most likely not a problem with npm itself
npm ERR! enoent and is related to npm not being able to find a file.
npm ERR! enoent

I'm not sure what the problem is, I did npm install cordova-plugin-sslcertificatechecker, also doesnt work, it gives me the same error as above.

Any help is appreciated.

Thank you.

my request is for the readme to have more information on the cases this plugin is useful.
in particular, Im researching if I need to use this plugin when loading my own secured website (with a non self-signed certificate). Doesnt chromium already protect against MITM in that case, asuming I havent overriden the webview ssl error handling?

Hello,

I am seeing a strange issue on iPhone only, where iPad works as expected.

I utilize the inAppBrowser to enable external authentication through a server I do not check the fingerprint of. If the browser is closed before external login is completed, the subsequent SSL check in my app using the plugin utilizes the fingerprint returned from the last URL in the inAppBrowser instead of the URL I provided to it.

I have verified this by logging the URL I send into the plugin method (window.plugins.sslCertificateChecker.check) and also logged the fingerprint the plugin checks in SSLCertificateChecker.m

I do not see any open issues with interactions between the inappbrowser and this plugin, can you provide some clarity about my scenario?

Thanks,

Not sure what is going on, but it's seems very odd. When stepping through the code in the simulator with version 5 of the plugin and an iOS 10.2 simulator the method above doesn't seem to be called. I've stopped and started the simulator rebuilt the app, waited over 3-4 hours but it never seems to go into the method and check the fingerprints, so it just continues on.

Does anyone have any idea what might be going on? Sadly I'm getting flak because my app doesn't seem to be checking the fingerprint of our cert : /

Thanks in advance

If you try to call the iOS plugin twice, to check two different servers, it overwrites its _allowedFingerprint and _allowedFingerprintAlt properties the second time. So if the first check hasn't completed by the time the second starts, it will fail.

Haven't tried the Android plugin to see if it has the same problem.

Because this is a feature that doesn't offer a secure protection against MitM attacks. I know that folks use this with that fact in mind but I don't want to actively promote such usage. Use plugin version 4.0.0 or lower if you need to nonetheless.

Just not doing anything, running on phonegap 3.4 on iOS 6.1

here is console log when i try to make calls via the console. No alerts pop up, no errors, no nothing other then an undefined return.

successCallback('test'); pops up an alert. so does errorCallback('test');

window.plugins.sslCertificateChecker.check(
successCallback,
errorCallback,
"https://google.com",
"‎9b 4c 03 99 61 82 4f ec ea 00 61 7b 87 9b 6b c7 ce 10 bf 09");
undefined
window.plugins.sslCertificateChecker.check;
function (successCallback, errorCallback, serverURL, allowedSHA1Fingerprint, allowedSHA1FingerprintAlt) {
if (typeof errorCallback != "function") {
console.log("SSLCertificateChecker.find failure: errorCallback parameter must be a function");
return
}

if (typeof successCallback != "function") {
console.log("SSLCertificateChecker.find failure: successCallback parameter must be a function");
return
}
cordova.exec(successCallback, errorCallback, "SSLCertificateChecker", "check", [serverURL, allowedSHA1Fingerprint, allowedSHA1FingerprintAlt]);
}
successCallback;
function successCallback(message) {
alert(message);
// Message is always: CONNECTION_SECURE.
// Now do something with the trusted server.;
}
errorCallback;
function errorCallback(message) {
alert(message);
if (message == "CONNECTION_NOT_SECURE") {
// There is likely a man in the middle attack going on, be careful!

 } else if (message == "CONNECTION_FAILED") {
   // There was no connection (yet). Internet may be down. Try again (a few times) after a little timeout.

 }

}

I am using PGB 3.3 with your latest plugin 3.2 and as same as your sample code

in Android 4.0.3，it will show，CONNECTION_FAILED.Details: null
in ios 7.0.6，it will show，CONNECTION_SECURE

I think probably this problem
http://community.phonegap.com/nitobi/topics/the_ssl_certificate_seem_have_some_problem?rfm=1

Version 6.0, on Android. Does not affect iOS.

I am facing the issue with Kitkat 4.4.2.
It gives following error:
CONNECTION_FAILED Details: SSL handshake aborted: ssl=0x646455e0: I/O error during system call; Connection reset by peer.

For OS above 4.4.2, it goes inside successCallback() function with a message Connection_Secure.
But for 4.4.2, it goes inside errorCallback() function.
Kindly suggest / do the needful.

The first check passes correctly. The following check works correctly only if the certificate is valid. If the certificate is not correct, then there is a delay, about a minute.

When I use this to check a single cert on Android 4.1.2, on several devices, I get an error "Attempted to send a second callback for ID: SSLCertificateChecker778333821":

D/CordovaWebViewClient( 4347): onPageStarted(file:///android_asset/www/index.html)
D/CordovaActivity( 4347): onMessage(onPageStarted,file:///android_asset/www/index.html)
D/CordovaWebViewClient( 4347): onPageFinished(file:///android_asset/www/index.html)
D/CordovaActivity( 4347): onMessage(onPageFinished,file:///android_asset/www/index.html)
D/CordovaActivity( 4347): onMessage(spinner,stop)
D/CordovaNetworkManager( 4347): Connection Type: wifi
D/CordovaNetworkManager( 4347): Connection Extra Info: null
D/CordovaNetworkManager( 4347): Connection Type: wifi
D/CordovaNetworkManager( 4347): Connection Extra Info: null
D/CordovaActivity( 4347): onMessage(networkconnection,wifi)
W/CordovaPlugin( 4347): Attempted to send a second callback for ID: SSLCertificateChecker778333821
W/CordovaPlugin( 4347): Result was: "Invalid action"

Haven't tried it, but there's some info here:
http://stackoverflow.com/questions/25483286/cordova-how-to-write-native-plugins-that-can-repeatedly-invoke-a-javascript-cal

• Crashes at [-check:(CDVInvokedUrlCommand*)command] call, when building for architecture 64-bit

Conf : Xcode Version 5.0
When I run my app, build failed with 3 error :
Undinined symbols for architecture armv7
"_SetCertificateCopyData", referenced from :
-[SSLCertificateChecker getFingerprint:] in SSLCertificateChecker.o
"_Set<TrustGetCertificateAtIndex", referenced from :
-[SSLCertificateChecker connection:willSendRequestForAuthentificationChallange :] in SSLCertificateChecker.o
ld: symbol(s) not found for architecture armv7
clang: error: linker command failed with exit code 1(use -v to see invocation)

Please how can I fixed that ?

thx.

With a builded app on iOS I keep receiving the case CONNECTION_FAILED builded by Phonegap Build cli 6.3.0. It works fine on Android but not on iOS. Anything I'm missing?

I installed plugin using phonegap CLI and plugin is always triggering success handler for error and for success state.

In plugin source code i can see that success function is invoked on callbackContext in every case.