URLSession:(NSURLSession *)session didReceiveChallenge to trust self signed cert broke in 0.72.x

[idrakimuhamad]

Description

After upgrading expo to SDK 49, our development usage of rn-fetch-blob and react-native-ssl-pinning to skip self signed cert has been broken.

I deduce it to be RN as I've tested using RN cli to create a new project and it also failed albeit with different message.

Error: An SSL error has occurred and a secure connection to the server cannot be made.

I've tested with react-native-ssl-pinning and rn-fetch-blob, both will received error as below on the Bare expo.

The certificate for this server is invalid. You might be connecting to a server that is pretending to be “X.X.X.X” which could put your confidential information at risk.

This doesn't happen when I'm on 0.71.8, which is the version i'm upgrading from.

React Native Version

0.72.3

Output of npx react-native info

System:
OS: macOS 14.0
CPU: (8) arm64 Apple M1
Memory: 167.77 MB / 16.00 GB
Shell:
version: "5.9"
path: /bin/zsh
Binaries:
Node:
version: 18.12.0
path: ~/.nvm/versions/node/v18.12.0/bin/node
Yarn:
version: 1.22.19
path: ~/.yarn/bin/yarn
npm:
version: 8.19.2
path: ~/.nvm/versions/node/v18.12.0/bin/npm
Watchman:
version: 2023.05.22.00
path: /opt/homebrew/bin/watchman
Managers:
CocoaPods:
version: 1.12.1
path: /Users/idraki/.rbenv/shims/pod
SDKs:
iOS SDK:
Platforms:
- DriverKit 23.0
- iOS 17.0
- macOS 14.0
- tvOS 17.0
- visionOS 1.0
- watchOS 10.0
Android SDK:
Android NDK: 22.1.7171670
IDEs:
Android Studio: Giraffe 2022.3.1 Giraffe 2022.3.1
Xcode:
version: 15.0/15A5195k
path: /usr/bin/xcodebuild
Languages:
Java:
version: 11.0.15
path: /usr/bin/javac
Ruby:
version: 2.7.6
path: /Users/idraki/.rbenv/shims/ruby
npmPackages:
"@react-native-community/cli": Not Found
react:
installed: 18.2.0
wanted: 18.2.0
react-native:
installed: 0.72.3
wanted: 0.72.3
react-native-macos: Not Found
npmGlobalPackages:
"react-native": Not Found
Android:
hermesEnabled: Not found
newArchEnabled: Not found
iOS:
hermesEnabled: true
newArchEnabled: false

Steps to reproduce

https://github.com/idrakimuhamad/repro-expo-ssl-self-sign

The repo have a simple reproduction. Just need to include either rn-fetch-blob or rn-ssl-pinning, and use their configuration to skip self signed cert. For rn-fetch-blob is to add trusty during config.

or you can just run the example in repo above.

Snack, screenshot, or link to a repository

https://github.com/idrakimuhamad/repro-expo-ssl-self-sign

[cortinico]

After upgrading expo to SDK 49, our development usage of rn-fetch-blob and react-native-ssl-pinning to skip self signed cert has been broken.

Have you opened this issue against rn-fetch-blob and react-native-ssl-pinning as well? If not please do and link it here

[idrakimuhamad]

I have not, judging by the libraries not being updated for years, I assumed no changes from the library related to this. However, I will report this too to the libraries and link it back 👍

[idrakimuhamad]

I've further deduce that it is not React-Native nor Expo core itself, but one of the expo packages, which i'm further drilling to find that causing this.

[cortinico]

I've further deduce that it is not React-Native nor Expo core itself, but one of the expo packages, which i'm further drilling to find that causing this.

Closing this for now then. Feel free to reopen if you find more evidence that this is a React Native issue

[andreamazzarella]

@idrakimuhamad - currently looking at the same issue - did you have any luck with this?

[idrakimuhamad]

@idrakimuhamad - currently looking at the same issue - did you have any luck with this?

Unfortunately, no. It has something to do with expo-dev-client or expo-upgrade. The issues are still open, so I'll just wait for now.

expo/expo#24096