cordova-crosswalk-engine icon indicating copy to clipboard operation
cordova-crosswalk-engine copied to clipboard

Published 20 hours ago verified publisher icon infil00p

On received SSL errors show dialog box

Open chernobil opened this issue 9 years ago • 13 comments

There is difference in behavior between Cordova and Cordova with cordova-plugin-crosswalk-webview when handling SSL errors . When using plugin a dialog "Ssl Certificate Error Alert" is shown. I think this is crosswalks default behavior when SSL error occurs. Without the plugin cordova rejects the request when build in release or process it when build in debug. Make the plugin behaves like the original cordova. The ssl certificate error alert is not very useful it cant be customized and even worse the client is given to choose in a situation that myth be a security breach

chernobil avatar May 29 '15 08:05 chernobil

Could you please file a bug about this at https://crosswalk-project.org/jira.

fujunwei avatar Jun 01 '15 01:06 fujunwei

We should cherry pick a patch to Crosswalk plugin. https://github.com/fujunwei/crosswalk-cordova-android/commit/6519e226e01af919d0c01efcb856ecc4f795235c

fujunwei avatar Jun 04 '15 07:06 fujunwei

I've currently added this code as a work around in XWalkCordovaResourceClient class. @Override public void onReceivedSslError(XWalkView view, ValueCallback<Boolean> callback, SslError error) {

    final String packageName = parentEngine.cordova.getActivity().getPackageName();
    final PackageManager pm = parentEngine.cordova.getActivity().getPackageManager();

    ApplicationInfo appInfo;
    try {
        appInfo = pm.getApplicationInfo(packageName, PackageManager.GET_META_DATA);
        if ((appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0) {
            callback.onReceiveValue(true);

        } else {                
            callback.onReceiveValue(false);

        }
    } catch (android.content.pm.PackageManager.NameNotFoundException e) {
        // When it doubt, lock it out!
        callback.onReceiveValue(true);
    }
}

chernobil avatar Jun 04 '15 08:06 chernobil

Great. Could you please describe how to reproduce this issue, i will cherry pick it to the plugin repo. thanks.

fujunwei avatar Jun 05 '15 01:06 fujunwei

You need to make a httpS request to a address whose SSL certificate is not valid according android validation policy. Reasons for invalid certificate may be - issuer is not trusted, certificate is expired, site name and certificate CN name mismatch. I think that self signed certificates for SSL are also considered invalid by the os but not absolutely sure about this.

chernobil avatar Jun 05 '15 09:06 chernobil

in my case : SSL certficate is valid according to android but Crosswalk show an SSL alert

and logcat say : I/X509Util(20378): Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

mccob avatar Jun 19 '15 09:06 mccob

Hi. I'm having trouble with SSL. I also get an alert saying SSL is not valid, only on some devices for some users.

My certificate is fine, it is NOT a self signed certificate, and it works in all browsers I've tested. Does anyone have any idea why would Android consider my certificate invalid? And is there a way I can still allow my website to be accessed?

As I understand, the pull request would prevent showing an alert, but the request would still fail. I did not get this issue before using cordova with the crosswalk plugin.

tehmaestro avatar Sep 22 '15 08:09 tehmaestro

Do you mean there is no issue without crosswalk plugin?

fujunwei avatar Sep 23 '15 01:09 fujunwei

Could you please share your sample code or describe steps to reproduce the issue?

fujunwei avatar Sep 23 '15 01:09 fujunwei

No, I did not get this issue before using this plugin. I'm still investigating, I will get back if I find the exact cause of this so it becomes reproducible.

tehmaestro avatar Sep 27 '15 12:09 tehmaestro

@tehmaestro Did you learn more about this issue? We are also having the same problem. It happens sporadically, for some users and for some android devices. All run the same version of xwalk, and the strange thing is that for users that worked before suddenly it stop working.

manast avatar Mar 13 '16 10:03 manast

@chernobil @fujunwei Regarding the original issue - the current merged PR https://github.com/crosswalk-project/cordova-plugin-crosswalk-webview/pull/36 does not reflect the current cordova-android state.

https://github.com/apache/cordova-android/blob/master/framework/src/org/apache/cordova/engine/SystemWebViewClient.java#L238 Current Cordova WebView calls parent WebView.onReceivedSslError method, displaying the dialog in production. This engine should call the Crosswalk's one too.

Current behaviour, by hiding the prompt completely, is a really dangerous behaviour, because certificate errors are more nuanced (more of that below). For example, it took me a whole day of debugging and a bunch of 1-star reviews to reach this issue.

@tehmaestro @manast I hit the same problem as you. It turns out some Android versions and older Androids are missing some root certificates. Bundling these missing CA certificates should fix it.

Also in our case, our certificate had two trust chains and the second one was valid, but older Androids do not look further from first one. I think the latest Chrome for Android has this functionality, so it might be valid in Chrome browser but not in the Crosswalk webview. Read more at https://community.qualys.com/message/22981

msokk avatar Apr 09 '16 08:04 msokk

Some certificates may not be properly configured. You can always check yours with some online tools like https://www.ssllabs.com/ssltest

It could still be interesting to be able to hide those alerts (maybe on some domains only?).

Heshyo avatar Aug 10 '16 02:08 Heshyo