Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an api to disable hostname verification in certificate authentication #49088

Open
wxkly8888 opened this issue May 12, 2022 · 2 comments
Open

Add an api to disable hostname verification in certificate authentication #49088

wxkly8888 opened this issue May 12, 2022 · 2 comments
Labels
area-core-library SDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries. library-_http type-enhancement A request for a change that isn't a bug

Comments

@wxkly8888
Copy link

wxkly8888 commented May 12, 2022
edited
Loading

I am using secure websocket in Flutter connect to server, my server side is using self-signed certificate. in flutter clent, I store the trusted CA.pem in local assets. and load it to verify server certificate. my code is like this:

void main() async {
  ByteData data = await rootBundle.load('assets/data/ca-cert.pem');
  runApp( child: const App());
}
class MyHttpOverrides extends HttpOverrides {
  final ByteData data;

  MyHttpOverrides({required this.data});

  @override
  HttpClient createHttpClient(SecurityContext? context) {
    final SecurityContext clientContext = SecurityContext()..
    setTrustedCertificatesBytes(data.buffer.asUint8List())
    Log().i("cert.pre=" + data.buffer.asUint8List().toString());
    return super.createHttpClient(clientContext);
  
  }
}

But I keep getting this error:

WebSocketChannelException: HandshakeException: Handshake error in client (OS Error: 
CERTIFICATE_VERIFY_FAILED: Hostname mismatch(handshake.cc:359))

it is possible to disable hostname verification before handshake?
in Python, we can use ssl_context.check_hostname = False,
in android we can use

public boolean verify(String hostname, SSLSession session) {     return true;    }

our server is within the local LAN, the IP address is using DHCP just like 192.168.1. 11, etc. so the server address is dynamic. I just don't want to verify the hostname.
@wxkly8888 wxkly8888 changed the title Add a api to disable hostname verification in certificate authentication Add an api to disable hostname verification in certificate authentication May 12, 2022
@natebosch natebosch transferred this issue from dart-lang/http May 23, 2022
@natebosch natebosch added area-core-library SDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries. library-_http labels May 23, 2022
@natebosch
Copy link
Member

I think you can use the badCertificateCallback to handle this.

https://api.dart.dev/stable/2.17.1/dart-io/HttpClient/badCertificateCallback.html

@wxkly8888
Copy link
Author

@natebosch yes I can handler hostname verification in badCertificateCallback, but all the wrong certificates will go into this method. it makes setTrustedCertificatesBytes(data.buffer.asUint8List()) useless. thinking about that a wrong certificate that is not trusted by the certificate chain and also with hosname mismatch in my case. how can I distinguish the trusted certificate from the untrusted certificate with both have hosname mismatch?

@natebosch natebosch added the type-enhancement A request for a change that isn't a bug label May 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-core-library SDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries. library-_http type-enhancement A request for a change that isn't a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@natebosch @wxkly8888