Adobe-Runtime-Support icon indicating copy to clipboard operation
Adobe-Runtime-Support copied to clipboard

Published 20 hours ago verified publisher icon airsdk

[Feature Request] Ability to suppress network security popups about invalid certificates

Open itlancer opened this issue 3 years ago • 15 comments

Feature Description

AIR should have ability to suppress network security popups about invalid certificates programmatically. Right now if something goes wrong with HTTPS SSL certificate checks using URLLoader/URLStream/Loader/StageWebView/Socket/SecureSocket/NetConnection - application (OS) just show network security error/popup like these: image image

Such popups cause application "hanging" (sometimes crash) until user choose something. Moreover, for some retail kiosk there could be no user and application just stop working. That why we need a way to programmatically control it:

  1. By default it should works as is. Let user decide what to do.
  2. If such network security issue happens - some event should be fired and via AS3 logic we can get all necessary information about it (including certificate information), make some additional checks to decide “block” or “allow” connection via some SecurityEvent::preventDefault() or something like that. In such case there shouldn't be any popups. And application could programmatically allow/block it and show custom visual notification without hanging/crashing.

There are a lot of different reasons of this issue:

  • Incorrect certificate
  • Network attack
  • Incorrect date/time of client device (especially for some low-cost Android TV Boxes without CMOS battery)
  • Self-signed certificates usage (often used by enterprise clients)
  • ...

You can use https://badssl.com/ to test it.

This feature need for all platforms. May be only iOS have some restrictions about that.

Related links: https://stackoverflow.com/questions/4072377/how-can-i-bypass-or-detect-ssl-certificate-before-the-message-is-shown-in-adobe https://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/security/CertificateStatus.html

Known Workarounds

none

itlancer avatar Dec 13 '21 15:12 itlancer

Though this is not the answer to your request, I am pretty sure that you cannot simply suppress these notifications per default as they are coming directly from Windows itself ("Adobe uses the underlying OS certificate store", https://stackoverflow.com/questions/2187758/ssl-client-side-certificate-authentication-in-adobe-air). We are also encountering this and need to work with own trusted root certificates generated for specfic domains/hosts.

Harman would likely have to come up with a custom solution (certificate store) for this - sounds complicated but maybe I'm wrong, so please take my words with a grain of salt on this.

EDIT: In the link there is a work-around described. Maybe this helps...

2jfw avatar Dec 13 '21 16:12 2jfw

This might maybe connected to this thread : #1439

al-sabr avatar Dec 14 '21 11:12 al-sabr

Actually there's a hack for this problem. One might use the Windows handling capabilities of the Win32 API to always check if the specific window if showing and if yes then get the handle of the button to press and once the handle is acquired you can internally trigger the button with a virtual click and the Window will disappear.

I think each OS have their own handling API the task is to find them.

I hope this help

Windows : https://www.google.com/url?sa=t&source=web&rct=j&url=https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindow&ved=2ahUKEwi82Ongx9n2AhUP-aQKHeKJDm8QFnoECAwQAQ&usg=AOvVaw0-q9u2fhsycES_juGALyNV

al-sabr avatar Mar 22 '22 10:03 al-sabr

@ajwfrost Just check new certificateError event with Windows devices and URLLoader using latest AIR 50.2.3.1. It works as expected, thank you! Now we can suppress network security errors popups. What I would like to see in future versions:

  1. New event as a proper class.
  2. Get information about certificate and reason of error to "make a decision" about preventing or allowing request.

Also I will try to check the same using URLStream/Loader/StageWebView/Socket/SecureSocket/NetConnection and other platforms.

itlancer avatar Jul 05 '23 11:07 itlancer

@ajwfrost certificateError event doesn't fired with StageWebView. Tested with Windows devices using <UseWebView2>true</UseWebView2>. Also tested with Android devices without <runtimeInBackgroundThread>true</runtimeInBackgroundThread>. For testing used https://expired.badssl.com/ and https://self-signed.badssl.com/

itlancer avatar Jul 27 '23 10:07 itlancer

@itlancer hi brother,I have a question for you. The SDK version I'm using is 50.2.3.1 the code looks like this: loader = new URLLoader(); loader.addEventListener("certificateError", certificateError); But I didn't get a certificateError callback event。 Is it used like this? thanks

xiangshun110 avatar Jan 15 '24 07:01 xiangshun110

@xiangshun110 that's how it should be used yes; you'd only see that callback if we find the remote server is using a self-signed certificate though. You can test this with https://self-signed.badssl.com/ Other certificate failures aren't (yet?) being handled in this manner ..

thanks

ajwfrost avatar Jan 15 '24 08:01 ajwfrost

@ajwfrost Thanks for new SecurityErrorEvent.CERTIFICATE_ERROR event. Only issue I found for now - it just still doesn't work with StageWebView.

itlancer avatar Feb 24 '24 14:02 itlancer

StageWebView still not support SecurityErrorEvent.CERTIFICATE_ERROR events with AIR 51.1.1.2.

itlancer avatar Aug 06 '24 15:08 itlancer