Bypass the certificate security check for localhost makes calls to valid https host throw exception

[bpsc-wkubis]

Description

I've implemented the steps from the guide Bypass the certificate security check. My understanding is that this custom message handler should function for both localhost (where it bypasses the check) and for valid HTTPS hosts.

The handler works perfectly when making API calls to localhost. However, when I attempt to make a call to a valid HTTPS host, an exception is thrown: Java.Security.Cert.CertificateException. The message associated with this exception is 'The remote certificate was rejected by the provided RemoteCertificateValidationCallback.'

When I set up the HttpClient without this message handler, simply using new HttpClient(), the call works fine.

During debug the expression return errors == System.Net.Security.SslPolicyErrors.None returns false because the errors are of type RemoteCertificateChainErrors."

Steps to Reproduce

Follow guide on https://learn.microsoft.com/en-us/dotnet/maui/data-cloud/local-web-services?view=net-maui-8.0 and then create 2 http requests. One for https localhost which should work fine, and second to some valid https host e.x. https://google.com which should throw described exception.

Both https client should use described in article Custom message handler.

Link to public reproduction project repository

No response

Version with bug

8.0.7 SR2

Is this a regression from previous behavior?

Not sure, did not test other versions

Last version that worked well

Unknown/Other

Affected platforms

Android

Affected platform versions

No response

Did you find any workaround?

Instead of return errors == System.Net.Security.SslPolicyErrors.None; return just "true", althouh it's not really great solution

Relevant log output

No response

[vitek-karas]

/fyi @simonrozsival

[simonrozsival]

@bpsc-wkubis could you please share more information about the Android device or emulator you used for testing? I wasn't able to reproduce the issue locally with .NET MAUI 8.0.7 (errors was SslPolicyErrors.None for google.com).

[bpsc-wkubis]

Hey @simonrozsival , I'm using android emulator.
Spec: Android 14, API 34, Device Pixel 7 (+ Store)

[simonrozsival]

@bpsc-wkubis I'm still not able to reproduce the issue. Could you please create a public repo with a repro project based on dotnet new maui? I would like to try running the same code that you are.

[bpsc-wkubis]

Here is repo: https://github.com/bpsc-wkubis/maui-broken-https, main code is in Home.razor

[simonrozsival]

@bpsc-wkubis I get the same behavior as you reported with your code. I wonder if this is because I was testing "normal" MAUI and you are using a Blazor hybrid app.

As a workaround, add #if DEBUG to only use the custom handler in development and use the default handler, which works fine as you reported in the initial comment. I don't recommend shipping the custom validation callback in a production app anyway.

[bpsc-wkubis]

I got you, however, my situation involves a development environment within a VPN, which is not localhost. I would like the ability to switch between these environments based on the nature of my tasks. Using localhost is advantageous when I need to debug specific aspects of the API connection, while the VPN environment is more suitable for development tasks unrelated to API connections. This approach simplifies the process by eliminating the need to set up all APIs and identity servers on my local machine each time.

[simonrozsival]

@bpsc-wkubis another option is to use the .NET's default SocketsHttpHandler handler by setting <UseNativeHttpHandler>false</UseNativeHttpHandler> in your project file and then using it through HttpClientHandler with your custom validation callback. It will work the same way on iOS and Android:

var handler = new HttpClientHandler
{
    ServerCertificateCustomValidationCallback = (req, cert, chain, errors) =>
    {
        if (req.RequestUri is Uri { Host: "localhost" } && cert?.Issuer is "CN=localhost")
        {
            return true;
        }

        return errors == System.Net.Security.SslPolicyErrors.None;
    }
};
var client = new HttpClient(handler);

[simonrozsival]

@bpsc-wkubis I played with your repro project, and I noticed that when I remove the network_security_config.xml, errors is None when making a request to https://google.com again. Apparently, this network config somehow breaks Android's native certificate validator (X509TrustManager) that we use internally to check if the OS trusts the remote server or not. I'm not sure what the right security config should be though. The only workaround, which is suboptimal though, I found is:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config cleartextTrafficPermitted="true">
    <trust-anchors>
      <certificates src="system" />
    </trust-anchors>
  </base-config>
</network-security-config>

[bpsc-wkubis]

@simonrozsival Thank you for your efforts. Until a fix is implemented, I will stick to the simplest solution, which ignores this error:

return errors == System.Net.Security.SslPolicyErrors.None || errors == System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;

While this may not be the ideal solution, it is a manageable workaround in a development environment.