Suppress HTTPS filtering error notification for the apps that use pinning techniques

[TheHasagi]

Somehow from time to time user will receive a notification (see attachment) about HTTPS filtering error that some application does not accept our certificate. It can not be reproduced easily but it does exist.

[ameshkov]

Does the user have HTTPS filtering enabled for Outlook? We don't filter it by default

[TheHasagi]

I guess not, can be reproduced with default settings (after a clean install of the application).

[Eugene-Savenko]

If this can help, please find the logs here: 2307731

[TheHasagi]

New logs in ncloud.

[3xploiton3]

I move cert adguard to system,

[Murgeye]

For me it really is not "from time to time" but constantly and it completely breaks HTTP Filtering.

[Chinaski1]

@Murgeye

I suppose this is your mail to support - 2354792
Thanks for the provided logs.
Added to NCloud

[Murgeye]

@Murgeye

I suppose this is your mail to support - 2354792
Thanks for the provided logs.
Added to NCloud

Yes it is, sorry, I forgot to mention it here after sending in a support request.

Btw., there seems to be no good way to work around this bug(?) in Beta except by adding every single App or Domain to the whitelist. Disabling the notifications in the low level settings causes some Apps to be unable to open any TLS connections at all.

[ameshkov]

Some of the apps do TLS pinning and HTTPS filtering won't work for them.

Ideally, you should disable HTTPS filtering for such apps.

[ameshkov]

@AdguardTeam/developers I think we should have a list of apps known for using TLS pinning and suppress this notification for them.

We should expose this list via low-level settings to make it transparent to the users.

[Murgeye]

What was the default behavior before the notification was added? I haven't seen this notification before the last beta update, but had no problems with the same applications. I find it highly unlikely that almost all apps have suddenly started using certificate pinning for domains like crashlytics.com.

Additionally, I was able to use all of them without in-app ads before.

[Murgeye]

BTW., the exclude domain button from the notification does not seem to work for me, as it always overrides the last domain added to the HTTPS whitelist. (Therefore, you can only always add a single domain to the whitelist and it is getting replaced by the next one.)

[AlfredSpijker]

I can confirm the issue Murgeye mentioned above. Running latest beta 3.3.2.
Is it better to report this separately somewhere else?

[Murgeye]

The bug was present in 3.3 beta 1 as well by the way.

[artemiv4nov]

This bug will be fixed in beta 3.

[ameshkov]

So here's what we have here:

1. We should add a new low-level setting pref.https.ignore.filtering.error with the list of apps that are known to use pinning techniques (@artemiv4nov plz post the exact list)
2. We should fix the "exclude" buttons: Suppress HTTPS filtering error notification for the apps that use pinning techniques #3052 (comment)