Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

https over self-signed certificate #32

Closed
pepie opened this issue Jul 17, 2018 · 19 comments
Closed

https over self-signed certificate #32

pepie opened this issue Jul 17, 2018 · 19 comments

Comments

@pepie
Copy link

pepie commented Jul 17, 2018
edited by wendux

'CERTIFICATE_VERIFY_FAILED' exception is thrown, when connection to server with self-signed certificate.

var url = 'https://jsonplaceholder.typicode.com/posts/1';
Dio dio = new Dio();
await dio.get(url).then((response){
  print(response.data);
}).catchError((err){
   print(err);
});
@wendux
Copy link
Contributor

wendux commented Jul 17, 2018
edited

You should create a SecurityContext object to trust your certificate in onHttpClientCreate callback, for examples:

  dio.onHttpClientCreate = (HttpClient client) {
    // create a `SecurityContext` instance to trust you certificate
    return HttpClient(securityContext)
  };

More about SecurityContext please refer to dart doc -SecurityContext

@wendux wendux changed the title 'CERTIFICATE_VERIFY_FAILED' when connecting w/ https over self-signed certificate https over self-signed certificate Jul 17, 2018
@pepie
Copy link
Author

pepie commented Jul 17, 2018
edited by wendux

Consider adding support for badCertificateCallback.

 HttpClient httpClient = new HttpClient()
      ..badCertificateCallback =
      ((X509Certificate cert, String host, int port) => trustSelfSigned);

perhaps as an option to the constructor:

new Dio({acceptSelfSignedCert: false})

@pepie
Copy link
Author

pepie commented Jul 17, 2018
edited by wendux

it doesn't seem like onHttpClientCreate() is ever reached:

    Dio dio = new Dio();
    dio.onHttpClientCreate = (HttpClient client) {
      print('onHttpClientCreate entered...');  // this code is never reached
      client.badCertificateCallback = (X509Certificate cert, String host, int port) => true;
      return client;
    };

   Response<String> response=await dio.get(url);  //CERTIFICATE_VERIFY_FAILED:ok

@wendux
Copy link
Contributor

wendux commented Jul 17, 2018
edited

Are you sure? I have run the code as follows:

    dio.onHttpClientCreate = (HttpClient client) {
      print("dio xxxx");
      client.badCertificateCallback =
          (X509Certificate cert, String host, int port) {
        return true;
      };
    };

Console log

I/flutter (18963): dio xxxx

Which version of dio do you use? 0.1.3?

@pepie
Copy link
Author

pepie commented Jul 17, 2018

Yes, It never ran on my box.
It's a little weird.

I've submitted a pull request to support self-signed certs.
#33

Please consider. This works.
Another option would be to allow one to pass the entire callback, instead of setting trustSelfSignedCerts to true.

Great plugin btw!!

@pepie
Copy link
Author

pepie commented Jul 17, 2018

@wendux I created a new project and was able to confirm dio.onHttpClientCreate() ran successfully.
I'll have to figure out why it wasn't triggered in the first project, bu the problem seems to be local.

Using version 0.1.3
FYI

@wendux
Copy link
Contributor

wendux commented Jul 18, 2018

@pepie Ok, May you overwrite OnHttpClientCreate callback somewhere ?

@pepie
Copy link
Author

pepie commented Jul 18, 2018

I'm guessing that's the case.
I'll send an update if I discover anything strange.
Thanks!

@lyquocnam
Copy link

what about this issuse ?

@cdvv7788
Copy link

cdvv7788 commented Jul 31, 2018
edited by wendux

It seems that @pepie found a solution (check #33 ). Should this issue be closed? Does this specific case need to be documented?

:octocat: From gitme Android

@pepie
Copy link
Author

pepie commented Aug 18, 2018

Closing this issue since a solution was found.
class MyHttpOverrides extends HttpOverrides{
@OverRide
HttpClient createHttpClient(SecurityContext context){
HttpClient client= super.createHttpClient(context); //<<--- notice 'super'
client.badCertificateCallback = (X509Certificate cert, String host, int port)=> true;
return client;
}
}

void main(){
HttpOverrides.global = new MyHttpOverrides();
runApp(new App());
}

@pepie pepie closed this as completed Aug 18, 2018
@wendux wendux mentioned this issue Sep 5, 2018
Closed
@zhuzheng1991 zhuzheng1991 mentioned this issue Feb 25, 2019
Closed
@anisalibegic
Copy link 

(dio.httpClientAdapter as DefaultHttpClientAdapter).onHttpClientCreate = (HttpClient client) {
    client.badCertificateCallback = (X509Certificate cert, String host, int port) => true;
    return client;
};

@c-mendoza c-mendoza mentioned this issue May 3, 2019
Closed
@Tonigt Tonigt mentioned this issue Mar 13, 2020
Closed
1 task
@939582415 939582415 mentioned this issue Mar 25, 2020
Closed
@AkhilSaji AkhilSaji mentioned this issue May 4, 2020
Closed
1 task
@nieling1 nieling1 mentioned this issue Jul 3, 2020
Closed
@abgrano
Copy link

abgrano commented Jul 2, 2021

Dio dio = new Dio();
(dio.httpClientAdapter as DefaultHttpClientAdapter).onHttpClientCreate =
(HttpClient client) {
client.badCertificateCallback =
(X509Certificate cert, String host, int port) => true;
return client;
};

@arnbut
Copy link

arnbut commented Sep 16, 2021

DioForNative dio = DioForNative();
DefaultHttpClientAdapter httpClient = dio.httpClientAdapter;
httpClient.onHttpClientCreate = (HttpClient client) {
client.badCertificateCallback =
(X509Certificate cert, String host, int port) {
return true;
};
};
and then you can make dio.post and dio.get requests.

sharkerfury added a commit to redblackfury/AttackRussianWebMob that referenced this issue Apr 8, 2022
@sharkerfury
Update main.dart
0492966 
Based on this cfug/dio#32 (comment)
@sharkerfury sharkerfury mentioned this issue Apr 8, 2022
Merged
@bambinoua
Copy link

How to disable SSL certificate check using Dio in WEB ENVIRONMENT?

@remi-martin remi-martin mentioned this issue Oct 31, 2022
Closed
@LukeDaniel16
Copy link 

(dio.httpClientAdapter as DefaultHttpClientAdapter).onHttpClientCreate = (HttpClient client) {
    client.badCertificateCallback = (X509Certificate cert, String host, int port) => true;
    return client;
};

This is not SAFE for production versions!

We need other reply to resolve it, anyone?

@zhusupq
Copy link

zhusupq commented Jan 17, 2023

@bambinoua Have you found a solution for flutter web?

@jparsoft
Copy link

jparsoft commented Jan 24, 2023
edited

In my case I needed to use an self signed certificate and the solution was this:

Future<Response> secureRequest(
    String path, {
    method = 'GET',
    Map<String, dynamic>? queryParameters,
    dynamic data,
    Map<String, String>? headers,
  }) async {
    
   // convert my certificate to pem

   // openssl x509 -in client.crt -out client.pem 
   // openssl rsa -in client.key -out clientkey.pem
     

    ByteData dataCRT = await rootBundle.load('assets/ca/client.pem');
    ByteData dataKey = await rootBundle.load('assets/ca/clientkey.pem');

    Dio dio = Dio();
    dio.interceptors.add(_interceptor);
    (dio.httpClientAdapter as DefaultHttpClientAdapter).onHttpClientCreate =
        (client) {
      SecurityContext serverContext = SecurityContext();

      serverContext.useCertificateChainBytes(dataCRT.buffer.asUint8List());
      serverContext.usePrivateKeyBytes(dataKey.buffer.asUint8List());
      // use a new client for add the certificate and accept self signed certificate and return it
      var newClient = HttpClient(context: serverContext);
      newClient.badCertificateCallback =
          (X509Certificate cert, String host, int port) => true;
      return newClient;
    };
    logger.i("secureRequest");
    logger.d("path: $path");

    return await dio.request(path,
        data: data,
        queryParameters: queryParameters,
        options: Options(
          headers: headers,
          method: method,
        ));
  }

AlexV525 added a commit that referenced this issue Feb 13, 2023
@AlexV525
Allow data in all request methods (#32)
20a5920
@lukas-pierce
Copy link

lukas-pierce commented Mar 26, 2024
edited

Actual on March 2024:

onHttpClientCreate callback is deprecated. Now you should use createHttpClient and return your own HttpClient instance:

import 'dart:io';
import 'package:dio/dio.dart';
import 'package:dio/io.dart';

Dio createDio({required String baseUrl, bool trustSelfSigned = false}) {
  // initialize dio
  final dio = Dio()
    ..options.baseUrl = baseUrl;

  // allow self-signed certificate
  (dio.httpClientAdapter as IOHttpClientAdapter).createHttpClient = () {
    final client = HttpClient();
    client.badCertificateCallback = (cert, host, port) => trustSelfSigned;
    return client;
  };
  
  return dio;
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests