Client Certificate Not Working with Dart/Flutter HTTP Client

[MelbourneDeveloper]

Describe the bug
If I use the Dart or Flutter supabase client, I get an exception. This is the exception in Flutter (iOS). The same happens on macOS.

HandshakeException (HandshakeException: Handshake error in client (OS Error:
CERTIFICATE_VERIFY_FAILED: application verification failure(handshake.cc:393)))

To Reproduce
Steps to reproduce the behavior:

Use either the supabase package with Dart or the flutter_supabase package with Flutter. I'm running on macOS. Then, attempt to connect with the client and insert a record

WidgetsFlutterBinding.ensureInitialized();
await Supabase.initialize(
          url: ‘INSERT’,
          anonKey:
              ‘INSERT’,
        );
supabase.client.from('users').insert({'id':'123'});

Expected behavior
The client should connect.

Screenshots

Version (please complete the following information):
└── supabase_flutter 1.10.0
├── supabase 1.9.0
│ ├── functions_client 1.3.0
│ ├── gotrue 1.8.0
│ ├── postgrest 1.3.0
│ ├── realtime_client 1.1.0
│ ├── storage_client 1.4.0

Additional context
This is not specific to flutter_supabase. It happens with the supabase client as well.

**How Do I Know This is a Bug? **

I can workaround the problem by ignoring the certificate error. If add this code to Flutter

class MyHttpOverrides extends HttpOverrides {
  @override
  HttpClient createHttpClient(SecurityContext? context) =>
      super.createHttpClient(context)
        ..badCertificateCallback = (cert, host, port) => true;
}

//And I call this in my test...
HttpOverrides.global = MyHttpOverrides();

The code executes correctly with no errors.

Other people have reported the same problem on GitHub.

Here is some vanilla Dart code that passes as long as I ignore the certificate error.

SupabaseClient getSupabaseClient() {
  final httpClient = HttpClient()
    ..badCertificateCallback = ((cert, host, port) => true);
  final ioClient = IOClient(httpClient);

  final supabase = SupabaseClient(
    'insert',
    'insert',
    httpClient: ioClient,
  );
  return supabase;
}

  test('put in supabase', () async {
    await getSupabaseClient().from('users').insert(<String, dynamic>{
      'id': uuid.v4(),
      'name': 'someone',
      'emailAddress': 'someone2something.com',
    });
  });

But, if I don't ignore the certificate error, I get

This is an existing issue:
supabase/supabase-dart#54

I believe that Supabase has a real problem here, and someone needs to address this.

Using Supabase in this way is not secure because it leaves the system open to man-in-the-middle attacks. What does the team plan to do about this?

[dshukertjr]

Hi @MelbourneDeveloper

Sorry to hear this issue is happening for you. Could you open a support ticket so that one of us can take a look at your instance.
https://supabase.com/dashboard/support/new

[MelbourneDeveloper]

@dshukertjr This is not so much a support issue. This is a problem with the system and is clearly a problem for other people. The question is what Supabase is doing about this issue...

[dshukertjr]

@MelbourneDeveloper It's actually an issue specific to your Supabase instance. Again, please reach out to our support to take a look at your instance to get it resolved.

[dshukertjr]

I'm going to close this issue as the root cause is most likely instance specific, but feel free to reopen it if you feel is appropriate.