Hi mobile experts,
I am working on an SSL certificate. I am running into a problem with the SSL pinning configuration in the mobile app (react-native).
I am using Network configuration for Android and App Transport Security Settings for IOS.
I got the certificate file with the .pem extension and it is successfully pinned for Android. The thing is IOS with a new configuration only accepts the hash key which is typically calculated from the certificate file.
When I am trying to pin the hash key, it is failing for both IOS and Android. Is there any need that the hash key also needs to be configured from the server-side?
This is the error I got:
Text handshake failed; returned -1, SSL error code 1, net_error -202
Android doc: https://developer.android.com/training/articles/security-con...
IOS doc: https://developer.apple.com/news/?id=g9ejcf8y
Hope that anyone has any good information for me.
Thank you in advance!
Related
SDK Version: 40.0.0
Platforms: **Android **
Api requests do not work on Android,
I used axios and fetch for api requests.
I'm getting an error ( Network Error ) a long time after submitting a request.
Picture of the error;
enter image description here
I found this " android:usesCleartextTraffic="true" " for React Native.
How do i do this in EXPO.
Note: Certificate provided by Let’s Encrypt
Thank you for your help
Answer
Generally speaking, any valid SSL certificate should work just fine. That also includes all lets encrypt certificates, with the only requirement that it's a valid certificate. You can use tools like SSL Labs to test the validity of your SSL certificate.
[https://github.com/expo/expo/issues/12016][1]
I noticed that my app, when deployed to android, is accepting self-signed certificates in the server.
To help with the issue I created a snapshot of what I am doing on StackBlitz as recommended.
https://stackblitz.com/edit/ionic-login-test
I added the cordova android platform and then run:
ionic cordova run android --prod
I then set a local development server using django and set a self-signed ssl certificate managed by nginx, which is listening on https://192.168.0.10/.
When I access the phone for debugging on Chrome, I can see the login occurs successfully.
I would expect to see an error and be sure that the data was not sent to the server, as it could not be verified.
What I would expect is a result
Response with status: 0 for URL: null
and a
Failed to load resource: net::ERR_INSECURE_RESPONSE
at the console.
But instead I am getting the error from the server of a failed login.
I am running everything on Arch Linux.
I posted this issue at their github repository and this seems to be a feature. Self-signed ssl certificates are only blocked when --release flag is added and your apk is manually signed.
Here is the link for ghenry22's reply
Cheers
i'm facing problem when implementing ssl to my web. My web work as web services for android and ios. All goes very smooth until i implement the SSL certificates, suddenly the android (most of android except samsung) throw this error :
E/ErrorHTTP: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
then i google and landed to here :
google says about the error
support the google statement
work around for the error to accept the not valid ssl
it says that mostly happened because of :
The CA that issued the server certificate was unknown
The server certificate wasn't signed by a CA, but was self signed
The server configuration is missing an intermediate CA
Those three options already ruled out, i already check with ssl checker. Its none of those above, it's not unknown, it's not self signed, we're using comodo and the intermediates and root certificates also valid, you can check here : ssl checker for my link,
you can check it by yourself.
And now i'm stuck, the certificate is valid. The certificate also can open in samsung, but somehow fail in some other brand, for example xiao mi. I don't know where to look now, is it the :
the ssl configuration, i need to keep digging, even though it marked as valid in most validator.
make the android code more vulnerable, even some brand can access it, i mean is it because the brand or how ?.
The spec im using :
ASP .Net Core 2.0.
Kestrel.
Comodo certificates.
Native android.
Please help !, thank you.
I'm using a package called coroinium cloud and I have recently set up ssl. Coronium cloud is a server package for apps developed with corona SDK. It uses nginx as the server for the package. There is a control panel that you connect to through your browser which loads fine and firefox says the certificate is trusted. However it does not work on the app but instead shows an error saying the certificate is not trusted (CertPathValidatorException on android). I used a tool by digicert to check the ssl configuration:
screenshot of digicert test
There were instructions by the creator of coronium cloud on how to set it up of which all I followed. I got the certificate from startssl.com and used there Nginx certificate. Does anyone know how I can fix this issue as it is holding me back from developing other features as I now can't use any part of my app till this is fixed.
Thank you in advance to anyone who can help me
You should use the certificate chain provided by your Certificate Authority, in the same time than your certificate, and follow the nxinx documentation:
https://nginx.org/en/docs/http/configuring_https_servers.html#chains
cat www.example.com.crt bundle.crt > www.example.com.chained.crt
And in your server block:
ssl_certificate www.example.com.chained.crt;
I am trying to authenticate my android application over a https connection to the server.
I a getting the following exception while trying to authenticate. While looked up for solution, there were lots of suggestions about binding certificate with apk, ignoring the certificate validation etc.
Detailed StackTrace
The problem is, in few phones and emulators this authentication over https works perfectly fine. And in my phone as well as in my emulator it doesn't go through. So looks like its more of a device issue than code one.
Has anyone else have faced this kind of issue and sorted out?
The error meaning is: the SSL certificate chain (from the server certificate to a trust anchor in the Root CA store) has been rebuild by the application but the validation of this chain failed for any reason.
In the stacktrace the underlying error is java.security.NoSuchProviderException: AndroidOpenSSL. It means that the application tries to instantiate a signature validation object with a cryptographic provider which is not present in the android system. This error makes me thinking that it may be an android version issue.
Can you tell us the target API level used to build your application? And what are the versions of the terminals on which the application works and does not work?