http icon indicating copy to clipboard operation
http copied to clipboard

Published 20 hours ago verified publisher icon dart-lang

CERTIFICATE_VERIFY_FAILED - self signed certificate

Open afiocre opened this issue 5 years ago • 8 comments

Hi,

how we can disable the certificate verify ? Because in local / dev we have a self signed certificate and it make an error (indicate in the title of the issue).

I can't make a real certificate in a local server (symfony server) so i'm blocked if i can't disabled this control.

afiocre avatar Aug 10 '20 15:08 afiocre

First, Having self-signed certificate is not recommended beacuse it's not secured. For Production, A certificate chain must be added to server configuration which allows your app can access server through api requests.

For Development, you can proceed in 2ways.

  1. With Self Signed certificate which fails in your case. There must be something wrong with certificate
  2. Without Self Signed certificate a. Create a file with dart extensionand then dump the below code into it

class MyHttpOverrides extends HttpOverrides{ @override HttpClient createHttpClient(SecurityContext context){ return super.createHttpClient(context) ..badCertificateCallback = (X509Certificate cert, String host, int port)=> true; } }

b. Call the above class in main() method as first statement main(){ HttpOverrides.global = new MyHttpOverrides(); runApp(widget) }

venkatesh-u avatar Aug 21 '20 06:08 venkatesh-u

Solution no. 2 provided by @venkatesh-u works for me but what I couldn't understand that this issue occurs at only old Android Devices like Samsung Galaxy Grand 2 and Samsung A5 etc. ? Not for other devices with the latest Operating System.

ashishbharwal001 avatar Nov 07 '20 20:11 ashishbharwal001

This given solution did the trick for me also. Considering that Flutter is soon forcing https-connections, it would still be nice if this would work in a more obvious way (e.g, the Client() call could consume an optional onHandshakeError callback)

Mereep avatar Dec 04 '20 16:12 Mereep

For Development, you can proceed in 2ways.

  1. With Self Signed certificate which fails in your case. There must be something wrong with certificate

@venkatesh-u Do you mean that a self signed certificate should be allowed? I just tried adding a self signed certificate in IIS, add it to my service binding on my local machine and start Flutter in an emulator. I get CERTIFICATE_VERIFY_FAILED error. If I query my server from a browser, the browser accepts the self signed certificate, but my Flutter app running in the emulator does not.

However, suggestion 2 works for me and I only add it for local development (of course).

mikeesouth avatar Feb 04 '21 09:02 mikeesouth

i have this error: 'MyHttpOverrides.createHttpClient' ('HttpClient Function(SecurityContext)') isn't a valid override of 'HttpOverrides.createHttpClient' ('HttpClient Function(SecurityContext?)'). (Documentation)

thedarkknight197 avatar May 22 '21 15:05 thedarkknight197

I think it is related to mobile environment than the Web server itself. I checked the server SSL certificate at https://www.ssllabs.com and it didn't find "relevant" issues (maybe I'm mistaking something).

I have the same error, my case is not for a self signed certificate but else for a SSL certificate provided by GlobalSign. If I do a post via Postman or wiht a basic html form to the WS I am using for, I don't get any certificate issue, but, if I do the same via code (Java or in this case, Dart) from a mobile app, I get this issue.

neoacevedo avatar Aug 11 '21 21:08 neoacevedo

@thedarkknight197 change the example of MyHttpOverride to something like this. Seems to work.

class DevHttpOverrides extends HttpOverrides {
  @override
  HttpClient createHttpClient(SecurityContext? context) {
    return super.createHttpClient(context)..badCertificateCallback = (X509Certificate cert, String host, int port) => true;
  }
}

which you then use like:

HttpOverrides.global = DevHttpOverrides();

SomethingGeneric avatar Oct 02 '21 01:10 SomethingGeneric

Hi folks... I have added DevHttpOverrides and HttpOverrides.global = DevHttpOverrides(); as shown above and it is working for me!!! Thanks!!!

lcnmorais avatar Nov 17 '21 00:11 lcnmorais

Guys, any idea how to solve this for flutter web?

Mopriestt avatar Oct 30 '22 12:10 Mopriestt

same question HttpOverrides does not work for web

vasilich6107 avatar Nov 16 '22 13:11 vasilich6107

please help web developers

an-mediola avatar Nov 30 '22 17:11 an-mediola

Anyone who wants to use a local server for testing and development purposes can use ngrok to expose a local development server to the Internet with minimal effort.

shivam-modi avatar Oct 04 '23 03:10 shivam-modi

The alternative is to use IOClient with a manually constructed HttpClient from dart:io.

https://pub.dev/documentation/http/latest/io_client/IOClient/IOClient.html

There is no way I am aware of to force a browser to allow unverified Http requests in the browser. This is only possible with dart:io clients.

Closing for now since there is nothing we can change in this package or the SDK to change security constraints in the browser.

natebosch avatar Oct 05 '23 00:10 natebosch