Titanium JIRA Archive
Appcelerator Modules (MOD)

[MOD-2355] appcelerator.https - Invalid certificate accepted if valid certificate was accepted before

GitHub Issuen/a
TypeBug
PriorityCritical
StatusReopened
ResolutionUnresolved
Affected Version/sn/a
Fix Version/sn/a
ComponentsHttps
Labelsn/a
ReporterManasa Chirumamilla
AssigneeHans Knöchel
Created2017-08-28T06:17:36.000+0000
Updated2018-06-22T12:35:03.000+0000

Description

As per the appcelerator document Modules.Https, when an invalid secure certificate is passed through the security manager an error "Leaf certificate could not be verified with provided public key" is reported. But this is working fine with the first request only When passing the valid secure certificate for the first URL request and an invalid certificate for the next URL request of the same domain the error isn't been logged. Or if we didn't apply the security manager for the first request and apply the valid security certificate to the next request of the same domain then also error isn't been logged. EX:
var url1 = "http://www.appcelerator.com/";
    var securityManager = https.createX509CertificatePinningSecurityManager([
    {
        url: url1,
        serverCertificate: "appcelerator.com.der",
    }
]);
    var httpClient = Ti.Network.createHTTPClient({
    onload: firstSuccess,
    onerror: firstfailure,
    timeout : 5000,
    securityManager: securityManager,
    validatesSecureCertificate : true,
 });
httpClient.open("GET", url1); 
httpClient.send();

var url2 = "https://www.appcelerator.com/mobile-app-development-products/";
    var securityManager = https.createX509CertificatePinningSecurityManager([
    {
        url: url2,
        serverCertificate: "google.com.der", // Should not work, because it's pinned to a different domain
    }
]);
    var httpClient = Ti.Network.createHTTPClient({
    onload: secondSuccess,
    onerror: secondfailure,
    timeout : 5000,
    securityManager: securityManager,
    validatesSecureCertificate : true,
 });
httpClient.open("GET", url2); 
httpClient.send();
Now in the above example for the second request error method should be called because we are passing google certificate to the security manager. But in the code it is directly calling success method with out reporting any errors.

Comments

  1. Manasa Chirumamilla 2017-08-28

    Hello Appcelerator Team, Can you please help us on the issue which needs to be fixed ASAP.
  2. Hans Knöchel 2017-08-30

    Hey [~Manasa.chirumamilla], I just moved your issue and renamed some details to match your ticket description. We will take a look this week, but I think there was something related before that was caused by Apple / iOS caching the certificate once it's provided. Let me get bock to you later! *EDIT*: Your issue does not indicate you are using iOS, but it does indicate that you are using version 2.0.2, which could also be the Android module. Can you confirm this is happening on Android or iOS only?
  3. Manasa Chirumamilla 2017-08-30

    Hello [~Hans Knochel] Thank you for your response in this, Version - 2.0.2 is working fine for Android but the issue is with iOS only. However, we need support for lower SDK's(from 3.5.x) in Android because our application uses 3.5.x in Android, If we upgrade now there are some issues, so kindly accept my request and give the support for lower SDK's as well.
  4. Hans Knöchel 2017-09-12

    Hey Manasa, I am sorry but we cannot offer updates to SDK's that reached end of support. You may instead resolve the issues from 3.x incrementally and move to 6.x, as it also includes major improvements and bugfixes especially for Android.
  5. Manasa Chirumamilla 2017-09-13

    Hello Hans, thanks for your update on Android SDK's we will update our application to the latest SDK in Android. Can you please provide the updated module(appcelerator.https) of iOS with the raised bug fix, so that it would be helpful a lot.
  6. Manasa Chirumamilla 2017-09-15

    Hello Appcelerator Team, Please provide the iOS appcelerator.https module in which the raised bug has been fixed as we have been waiting a fix for this, as it is serious security issue in our application.
  7. Hans Knöchel 2017-09-20

    Reopening to investigate, but please do not open duplicate tickets. That will rather result in the opposite reaction. So the latest iOS version did not work? The comment from August 30 does not make sense as you are talking about different iOS and Android versions that seem to be unrelated to this ticket. Please let us know which exact *iOS module version* you are using - the latest is 1.1.4 (your ticket says 2.0.2).
  8. Manasa Chirumamilla 2017-09-21

    Hello Hans, I have checked the iOS module for both the versions(1.1.4,2.0.2), both are having the same issue.
  9. Sharif AbuDarda 2018-06-22

    Hello, The example app comes with the module is having the error "Certificate could not be verified with provided public key". Tested with the SDK 7.1.1.GA and both iOS and Android platform. Both the latest module version, Android 3.0.0 and iOS 2.3.0. As noted "The second URL, https://www.wellsfargo.com, is pinned to the public key in the X.509 certificate in the file named wellsfargo.cer. This is configured correctly. Connections to https://www.wellsfargo.com must succeed." But it does not. Clicking on "Load wellsfargo" shows "onerror called : Request failed. Log shows "Certificate could not be verified with provided public key". Thanks.

JSON Source