-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
React Native Support #6
Comments
Yes this is a limitation we are aware of - we wanted the simplest possible implementation for v1.0.0. I agree that we should address this in the next release. The
Thanks! |
Your point regarding race conditions seems valid, and it's something that I'll need to work on. Thanks! In terms of how exactly to address it... I'm not sure that there is a clean solution. Ideally, we would have a |
I totaly agree. This is why I suggested one of the workearround - either doing what CWAC did or manual validation in interceptor. Do you think of those options is better? |
So after discussing this with OkHTTP guys, look like using interceptor is a valid approach. This is the pseudo code: new Interceptor() {
@Override
public Response intercept(Chain chain) throws IOException {
Request request = chain.request();
SSLSocket socket = (SSLSocket)chain.connection().socket();
trustKit.getInstance().getTrustManager(request.url().host()).checkServerTrusted(socket.getSession().getPeerCertificateChain(), "");
return chain.proceed(request);
}
} But I need help with the call to the trust manager - what paramters should I pass? Am I calling the correct method? |
Was that discussion recorded somewhere public? I'd love to look at it, if it was. Your proposed solution is interesting. I'll need to poke around with it some more with respect to my library. Going this route would have you not register the
I can't speak for this library. In my case, I would call the three-parameter public List<X509Certificate> checkServerTrusted(X509Certificate[] certs,
String authType,
String hostname) Off the cuff, Thanks for pointing this out! |
Hi @omerlh , Your approach seems valid. The only downside I can see is that the certificate chain will be validated twice in a row:
This means that for invalid certificate chains, TrustKit will be unable to "see" them because the connection will have failed before even making it to the Interceptor, preventing TrustKit from sending a report about the SSL problem. Thanks again! |
@commonsguy see the link to the issue above in OkHTTP, this is the discussion I was talking about. Feel free to reopen it and respond there. The auth type, according to the documentation, is actually the key algorithm. So I guess I should be able to get it from the SSL session, but I could not find any property with that value. This is the main issue I have right now with implementing this solution. If you could help with that this will be great. Also, what do you think about opening an issue at your library and link to here? In that way, we can track this issue in all the relevant places.
|
@omerlh I tried this approach yesterday and got rid of it, as it simply was not working the way that I want. I will address the problem in my library by serializing multiple-host access, to eliminate the race condition. |
I am not sure I am following, but I guess it will be clearer when you complete this. |
@commonsguy I think it might be tricky to serialize it as depending on network conditions, the first host that gets set may not be the first host that triggers a call to your checkServerTrusted() ? @omerlh I need to think about this more, based on the OkHttp person's suggestion, but feel free to try the implementation you described and let me know what happens. |
@nabla-c0d3 Actually, it dawned on me a few hours ago to use |
Yeah that makes sense and should work. This really shouldn't be so painful =) |
I think @commonsguy solution still has some issues, as the interceptor get called after the handshake - meaning, after the |
Update: I want to solve it in the following way:
Thank I can do the following:
This looks to me like the best option so far, but I would like to hear your thought before going on and creating a PR. @nabla-c0d3, what do you think? |
@nabla-c0d3 I tried to implement this in PR, I think it should solved all the issues. |
Hi @omerlh and sorry for the delay. We looked into both the None of them will work correctly tho, because on API level 24+, the system’s pinning validation (via the Network Security Configuration) is run before any custom Hence, there does not seem to be any solution at the moment for the problem you are facing. An option would be to allow Does that make sense and what do you think? |
Hey @nabla-c0d3 |
Hi @omerlh I am now thinking about a slightly different implementation. We could expose two
It doesn't solve all the problems but it seems more manageable and easier to use as an App developer. |
Hi @nabla-c0d3
What do you think? |
Hey @nabla-c0d3 |
HI @omerlh , we will most likely go with the plan I described in my previous message ( |
I see. As I explained before (unless I am missing something) - this will not solve the original issue for us, so it means we will have to look for an alternative solution. |
Finally, I've used the regular OkHttp
I posted a sample code in a gist, it was pretty easy to set this up. |
Thanks for letting us know. I will check it out! |
Hey,
We have an android app with React Native code. React Native allow to override the default ok HTTP client for ALL network request from React Native with the following code:
This work perfectly well, excpet for the fact that it will block all the request to API that are not belonging to my company - for example, firebase - because it will try to pin them with our domain configuration.
To solve this, we can use an approach similar to what CWAC did:
PinningTrustManager
that allow changing the domain configurationPinningTrustManager
to React Native clientOr we can try another approach, I am pretty open to ideas - for example, try to implement pinning in network interceptor - I will try to see if that possible.
Do you encounter similar problems? What will you recommend?
Thanks!
The text was updated successfully, but these errors were encountered: