android: Trust user-supplied CAs, except on known servers #474
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I've tested that the resulting app works normally (in a debug build), but haven't attempted to test that it actually resolves #461. Just like in zulip-mobile, then (zulip/zulip-mobile#5493 (comment)), we'll rely in the first instance on the fact that this file is pretty short and the docs seem clear about its semantics — plus it's copied from one that's been working in zulip-mobile. @shrizza I'll be glad for you to try this when it goes out in an upcoming zulip-flutter beta release, probably in the next week or so — please let us know then whether it does indeed make things work for you. |
|
LGTM; please merge after rebasing to fix the tests. |
This is copied from the corresponding config in zulip-mobile, which was added in the following commit: zulip/zulip-mobile@85c3a71 Unlike in zulip-mobile, though, we don't need any adjustments in debug (or profile) builds, because we don't use the `android:usesCleartextTraffic` attribute which this would clobber. (React Native debug builds reach out to the development host over cleartext HTTP in order to support hot updates; but the Flutter development tools have the host contact the app instead, using the Dart VM protocol. It's also not clear that any Dart libraries respect the `android:usesCleartextTraffic` flag anyway.) Fixes: zulip#461
gnprice
added a commit
to gnprice/zulip-flutter
that referenced
this pull request
May 14, 2024
The previous attempt at this (cffb112, zulip#474) set the configuration used by the HTTP implementation from the Android SDK, and by some third-party HTTP implementations. But in the bulk of the app's code, we use the HTTP implementation from the Dart standard library, and by default that does not consult the Android configuration. Happily, Flutter has an opt-in feature to apply the same configuration to the Dart standard library: https://chat.zulip.org/#narrow/stream/48-mobile/topic/flutter.3A.20user-added.20certs/near/1716845 So use that. Fixes: zulip#461
chrisbobbe
pushed a commit
that referenced
this pull request
May 14, 2024
The previous attempt at this (cffb112, #474) set the configuration used by the HTTP implementation from the Android SDK, and by some third-party HTTP implementations. But in the bulk of the app's code, we use the HTTP implementation from the Dart standard library, and by default that does not consult the Android configuration. Happily, Flutter has an opt-in feature to apply the same configuration to the Dart standard library: https://chat.zulip.org/#narrow/stream/48-mobile/topic/flutter.3A.20user-added.20certs/near/1716845 So use that. Fixes: #461
gnprice
added a commit
to gnprice/zulip-flutter
that referenced
this pull request
Jul 8, 2024
This was introduced in cffb112 / zulip#474 because we thought it would be a fix for zulip#461. As discussed on that issue thread, though, it turns out this file doesn't have an effect on the Dart HTTP implementation, which we use. Since it looks like it's doing something but in fact it isn't, cut it out to avoid confusion. It'll still be there in the Git history if we later want to use it as part of a future effort to fix zulip#461.
gnprice
added a commit
to gnprice/zulip-flutter
that referenced
this pull request
Jul 8, 2024
This was introduced in cffb112 / zulip#474 because we thought it would be a fix for zulip#461. As discussed on that issue thread, though, it turns out this file doesn't have an effect on the Dart HTTP implementation, which we use. Since it looks like it's doing something but in fact it isn't, cut it out to avoid confusion. It'll still be there in the Git history if we later want to use it as part of a future effort to fix zulip#461.
gnprice
added a commit
to gnprice/zulip-flutter
that referenced
this pull request
Jul 8, 2024
This was introduced in cffb112 / zulip#474 because we thought it would be a fix for zulip#461. As discussed on that issue thread, though, it turns out this file doesn't have an effect on the Dart HTTP implementation, which we use. Since it looks like it's doing something but in fact it isn't, cut it out to avoid confusion. It'll still be there in the Git history if we later want to use it as part of a future effort to fix zulip#461.
gnprice
added a commit
to gnprice/zulip-flutter
that referenced
this pull request
Jul 10, 2024
This was introduced in cffb112 / zulip#474 because we thought it would be a fix for zulip#461. As discussed on that issue thread, though, it turns out this file doesn't have an effect on the Dart HTTP implementation, which we use. Since it looks like it's doing something but in fact it isn't, cut it out to avoid confusion. It'll still be there in the Git history if we later want to use it as part of a future effort to fix zulip#461.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is copied from the corresponding config in zulip-mobile, which was added in the following commit:
zulip/zulip-mobile@85c3a71
Unlike in zulip-mobile, though, we don't need any adjustments in debug (or profile) builds, because we don't use the
android:usesCleartextTrafficattribute which this would clobber.(React Native debug builds reach out to the development host over cleartext HTTP in order to support hot updates; but the Flutter development tools have the host contact the app instead, using the Dart VM protocol. It's also not clear that any Dart libraries respect the
android:usesCleartextTrafficflag anyway.)Fixes: #461