Domain-specific certificate trust issues

[ghost]

No description provided.

[kokukyocho]

Hello @arm64-v9a!

I am a bot 🤖

Thanks for submitting this issue!
The issue you submitted does not follow the template for either a bug or a feature request.
Restore the questions that you removed or changed and the issue will be automatically re-opened afterwards.
Please DO NOT spam the issue tracker with new issues.

If this is not an issue nor a feature request and you want to start a discussion then you can use GitHub Discussions.

[buawf]

When accessing .google. .youtube. .android. domains, Bromite does not trust AdGuard's CA certificate, this problem is limited to 102.0.5005.67, 101.0.4951.69 is normal

Indeed I too have the same issue.

What happens when You 'Only' Disable Https Filtering for Bromite via Apps Management in AdGuard for Android App ?

[Disqu3-mirOir-qt]

certificat adguard installed system or user certificat ???

i used adguard and don,t have any issue (user store)

[uazo]

and there is a problem when there is a system certificate

for adguard there is a difference in functionality between using the system or user certificate?

[uazo]

to provide URL filtering for all applications

I'm sorry I don't understand, if instead you use the user certificate it is not applied to all applications?
or do you mean system applications? in that case, could you give some examples?

[csagan5]

This error is due to HSTS pre-loaded certificates; you can query them from chrome://net-internals#hsts; what was the result of this test with Chromium?

[csagan5]

Vanilla Chromium doesn't seem to have certificate trust issues, although it doesn't have the flags disabling certificate transparency and allowing user certificates

Does AdGuard work with Vanilla Chromium?

[buawf]

Bromite can access Google domains normally, but AdGuard's ability to remove ads is greatly reduced

Are You using AdGuard App with DNS Filtering enabled ?

If Yes, then which filtering Mode is selected; Normal DNS/DoH/DoT (non-system wide, inside the App DoT)/ or DoQ ?

[csagan5]

@uazo this also seems to come from Enable-Certificate-Transparency.patch

[Disqu3-mirOir-qt]

https://github.com/AdguardTeam/adguardcert

[Nemris]

The Magisk module looks interesting but, while I'll look into it to replace the other systemless certificate installation I'm using, it won't help in case of devices that use legacy rooting methods.

[Nemris]

@arm64-v9a Might be just me, but I didn't notice any slowdown on a SM-A405FN.

[Nemris]

What about force-stopping Bromite or Chrome? My Mi 10 takes 6-15 seconds for UI to appear (cold boot only) and some Chromium that is not in scope has no such issue

I just tried - and launching Bromite is near-instantaneous as usual. The tab loads slowly - possibly as usual again, given the infamous connectivity around here.

[Nemris]

uh, forgive my typo, actually I mean the tabs too, it can't be a network issue, even the mixplorer webdav at http://localhost:8181 takes a long time to load

Now I can reproduce it as well, yes. Good point - so the only proper solution would be on Bromite's end.

[buawf]

takes a long time to load

Could this be because of checking for Adblock Filter updates at the start of Bromite ?

Or, the Check for Bromite's Browser Updates auto-check ?

Did You try disabling One &/or Both at a time and checked ?

[csagan5]

@arm64-v9a this is a version compiled without the certificate transparency patch: https://fdroid.bromite.org/fdroid/bromite/arm64_ChromePublic_noct.apk

Can you still reproduce this issue with this?

[csagan5]

Ok, that confirms that the Enable-Certificate-Transparency.patch is responsible; @arm64-v9a please check whether problem is still reproducible in latest release 102.0.5005.96; I expect it to be reproducible.

@uazo I have rewritten the patch to remove the logic about "emergency CT" and to split some unrelated parts.

[csagan5]

The problem happened again. After deleting domain security policies, static_spki_hashes can still be queried

Which version did you use for this test?

[csagan5]

Ok, thanks, I expected so; and behaviour is unchanged whether certificate transparency is enabled or not?

[csagan5]

@arm64-v9a there is no v103 released yet