Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with POCO HTTPS request on Android app #4698

Open
AnDevi opened this issue Sep 17, 2024 · 5 comments
Open

Problem with POCO HTTPS request on Android app #4698

AnDevi opened this issue Sep 17, 2024 · 5 comments
Labels
bug

Comments

@AnDevi
Copy link

AnDevi commented Sep 17, 2024

I'm trying to use POCO https requests on Android app. I'm using poco 1.10.1 (I built poco with BoringSSL instead of OpenSSL) and my setup for SSL looks like this:

Poco::Net::initializeSSL();
Poco::SharedPtr<Poco::Net::InvalidCertificateHandler> ptrCert = new Poco::Net::ConsoleCertificateHandler(false);
SSLContext = new Context(Context::TLSV1_2_CLIENT_USE, "", Context:: VERIFY_STRICT, 9, true, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
Poco::Net::SSLManager::instance().initializeClient(0, ptrCert, SSLContext);

after https request I'm still getting error error: SSL Exception: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED, code: 0, what: SSL Exception

Anyone has idea what else should be configured to make it work ?
@AnDevi AnDevi added the bug label Sep 17, 2024
@micheleselea
Copy link
Contributor

try using
new Context(Context::CLIENT_USE, "", Context:: VERIFY_NONE

@AnDevi
Copy link
Author

AnDevi commented Sep 18, 2024

That works, but I think it's not the solution, I don't want to skip security. ;(

@micheleselea
Copy link
Contributor

You are not skipping security: if you look
Context:: VERIFY_NONE Same as VERIFY_RELAXED.
Context::VERIFY_RELAXED
/// Client: The server certificate is verified, if one is provided.
/// If the verification process fails, the TLS/SSL handshake is
/// immediately terminated with an alert message containing the
/// reason for the verification failure.

The verification is failing because you cannot verify the certificate the server sent to you to check if it's a valid certificate.
You can handle it using Poco::Net::InvalidCertificateHandler on
Poco::Net::SSLManager::instance().initializeClient

the other thing you can do is to create a client context that has the "caLocation" set with a PEM file containing all valid certificate authority. For example you can, for example, this
https://curl.se/docs/caextract.html

@AnDevi
Copy link
Author

AnDevi commented Sep 18, 2024

For VERIFY_NONE I can see:

Client: If not using an anonymous cipher (by default disabled), the server will send a certificate which will be checked, but the result of the check will be ignored. so using it still seems to me like something dangerous.

What do you mean by that You can handle it using Poco::Net::InvalidCertificateHandler ?

You mean handling it this way:

class MyCertificateHandler : public Poco::Net::InvalidCertificateHandler {
public:
    MyCertificateHandler(bool handleErrorsOnServerSide) : Poco::Net::InvalidCertificateHandler(handleErrorsOnServerSide) {}

    void onInvalidCertificate(const void* pSender, Poco::Net::VerificationErrorArgs& errorCert) override {
        EELogError("Invalid certificate encountered!");
        errorCert.setIgnoreError(true);
    }
};

Handling it by errorCert.setIgnoreError(true); but it also seems tricky and unsafe.

Or you meant something else ?

@micheleselea
Copy link
Contributor

Context::VERIFY_STRICT and VERIFY_RELAXED and VERIFY_ONCE for client use it's the same, so use what I suggested with one of that, for example VERIFY_RELAXED

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@micheleselea @AnDevi