Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HttpClient should honor user-installed certificates on Android #50435

Open
brianquinlan opened this issue Nov 10, 2022 · 10 comments
Open

HttpClient should honor user-installed certificates on Android #50435

brianquinlan opened this issue Nov 10, 2022 · 10 comments
Assignees
@brianquinlan
Labels
area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. library-io os-android P3 A lower priority bug or feature request triaged Issue has been triaged by sub team

Comments

@brianquinlan
Copy link
Contributor

See #48056 for context.
@brianquinlan brianquinlan added P1 A high priority bug; for example, a single project is unusable or has many test failures area-core-library SDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries. library-io library-io-triaged labels Nov 10, 2022
@brianquinlan brianquinlan self-assigned this Nov 10, 2022
@brianquinlan brianquinlan mentioned this issue Nov 10, 2022
Open
@brianquinlan
Copy link
Contributor Author

I've been experimenting with moving Flutter to use package:http.

That would allow the user to use package:cronet_http, which does honor user-installed certificates.

There are two other approaches that I can think of to solve this:

  1. use JNI to ask the OS to resolve the certificate
  2. make certificate resolution the responsibility of the embedder (i.e. Flutter)

@berdroid
Copy link

berdroid commented Nov 22, 2022
edited
Loading

That would allow the user to use package:cronet_http, which does honor user-installed certificates.

I think this will be problematic for people using Dart/Flutter on an embedded Android platform, that typically does not support Google Play Serives.

There are two other approaches that I can think of to solve this:

  1. use JNI to ask the OS to resolve the certificate
  2. make certificate resolution the responsibility of the embedder (i.e. Flutter)

Option 2 seems to be preferable as it opens up solutions for other platforms/emebedders.

@brianquinlan
Copy link
Contributor Author

I started a discussing on this in the hackers-framework-🔩 Discussion. So far the feedback is that depending on package:http seems like a bad idea.

@brianquinlan
Copy link
Contributor Author

It looks like there is only one common use case in Flutter where dart:io HttpClient is used: image display through Image.network.

It is very easy to replace this with package:cached_network_image, which uses package:http and can, therefore, be configured to use a native http client.

@a-siva a-siva added triaged Issue has been triaged by sub team and removed library-io-triaged labels Dec 20, 2022
@brianquinlan
Copy link
Contributor Author

I've updated the examples in cupertino_http and cronet_http to use package:cached_network_image.

At this point it should be possible to use those packages to with user-installed certificates.

@brianquinlan
Copy link
Contributor Author

I wrote a design doc suggesting that we recommend package:http as an HTTP client. Feedback welcome!

@brianquinlan
Copy link
Contributor Author

I presented this at the Dash forum. It's basically asking for feedback for the design doc. There seemed to be consensus so I'm moving forward on it.

@jmshrv jmshrv mentioned this issue Mar 16, 2023
Open
@brianquinlan brianquinlan added P3 A lower priority bug or feature request and removed P1 A high priority bug; for example, a single project is unusable or has many test failures labels Mar 17, 2023
@brianquinlan
Copy link
Contributor Author

There is still work to do in terms of documentation but think that we already have a solution in place.

@greglook greglook mentioned this issue Jun 2, 2023
Closed
4 tasks
@dreautall dreautall mentioned this issue Jul 24, 2023
Closed
@TomBursch TomBursch mentioned this issue Sep 6, 2023
Open
@ImranR98 ImranR98 mentioned this issue Jan 12, 2024
Open
@jjoelj jjoelj mentioned this issue Feb 27, 2024
Open
@denysvitali denysvitali mentioned this issue Mar 26, 2024
Closed
@KevinCFechtel KevinCFechtel mentioned this issue Apr 21, 2024
Closed
@lrhn lrhn added area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. and removed area-core-library SDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries. labels Apr 21, 2024
@r3a1d3a1
Copy link

This is also important in case of old Android versions not getting updated CA roots.
A savvy user could add newer roots manually, but flutter apps still wouldn't work.
Any timeline of when this will be completed?

@Kampe
Copy link

Kampe commented Jun 20, 2024

Would like to know if this is in the roadmap at all?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brianquinlan brianquinlan

Labels
area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. library-io os-android P3 A lower priority bug or feature request triaged Issue has been triaged by sub team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Kampe @lrhn @r3a1d3a1 @a-siva @brianquinlan @berdroid