-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Mobile] SSL certificate hostname not verified when targeting local WebAPI #70434
Comments
Tagging subscribers to this area: @dotnet/ncl Issue DetailsDescriptionTesting MAUI with Visual Studio 17.3 preview, I just want to reach a test endpoint (local dotnet core web api - running in debug). Reproduction Stepsthe code is pretty simple to reproduce, i just created a base MAUI project and replaced the MainPage.xaml.cs content with the following code :
Note that I followed the docs here Expected behaviorset the apiReached bool value to true Actual behaviorI'm stuck with the following exception on the client.GetAsync method : Regression?No response Known WorkaroundsNo response ConfigurationNo response Other informationWhen I set an url value targetting an external public API like "https://httpbin.org/get", it works like a charm. I guess the problem comes from the Android Emulator using 10.0.2.2 to reach localhost, when the base dev-certificate only contain a localhost reference, but the InsecureHandler method should bypass this issue, no ?
|
Tagging subscribers to 'arch-android': @steveisok, @akoeplinger Issue DetailsDescriptionTesting MAUI with Visual Studio 17.3 preview, I just want to reach a test endpoint (local dotnet core web api - running in debug). Reproduction Stepsthe code is pretty simple to reproduce, i just created a base MAUI project and replaced the MainPage.xaml.cs content with the following code :
Note that I followed the docs here Expected behaviorset the apiReached bool value to true Actual behaviorI'm stuck with the following exception on the client.GetAsync method : Regression?No response Known WorkaroundsNo response ConfigurationNo response Other informationWhen I set an url value targetting an external public API like "https://httpbin.org/get", it works like a charm. I guess the problem comes from the Android Emulator using 10.0.2.2 to reach localhost, when the base dev-certificate only contain a localhost reference, but the InsecureHandler method should bypass this issue, no ?
|
I find it strange that it even tries to verify the/a certificate since you are using HTTP and not HTTPS. |
@shaiscytale this happens when there is a mismatch between the hostname (10.0.2.2) and the CN of the certificate (localhost). That check is independent of the server certificate validation. To bypass that validation, you need to extend internal sealed class CustomAndroidMessageHandler : AndroidMessageHandler
{
protected override IHostnameVerifier GetSSLHostnameVerifier(HttpsURLConnection connection)
=> new CustomHostnameVerifier();
private sealed class CustomHostnameVerifier : Java.Lang.Object, IHostnameVerifier
{
public bool Verify(string hostname, ISSLSession session)
=> HttpsURLConnection.DefaultHostnameVerifier.Verify(hostname, session)
|| (hostname == "10.0.2.2" && session.PeerPrincipal.Name == "CN=localhost");
}
} |
@simonrozsival I tried the solution you provided and I get another error "trust anchor for certification path not found". When I debug the solution the verify method in the CustomHostnameVerifier doesn't get called. I've tried finding any solution online and nothing seems to get past the self-signed certificates or the ability to use HTTP / clear text fix. |
I created a little helper class that I started using that works on Android and Windows to connect to "local" SSL: https://gist.github.com/Eilon/49e3c5216abfa3eba81e453d45cba2d4 And here's how you can use it to call from an Android emulator to a Windows-hosted ASP.NET Core app: var devSslHelper = new DevHttpsConnectionHelper(sslPort: 7155);
var http = devSslHelper.HttpClient;
var responseText = await http.GetStringAsync(devSslHelper.DevServerRootUrl + "/someApi"); It seems that to make it work on Android, there are two places in the handler that need to make the SSL checks go through:
|
I started a discussion topic on how to connect from Android emulators to a local ASP.NET Web API running on Windows: dotnet/maui#8131 Please check that out and let us know if you have any feedback on any of the solutions presented. |
I can confirm that this fixed the "Hostname 10.0.2.2 not verified" for .NET Maui Blazor Hybrid for me |
I added some bits to help with setting up DI. LMK what you think. @Eilon https://gist.github.com/EdCharbeneau/ed3d44d8298319c201f276de7a0580f1 |
@EdCharbeneau very nice! |
Description
Testing MAUI with Visual Studio 17.3 preview, I just want to reach a test endpoint (local dotnet core web api - running in debug).
Reproduction Steps
the code is pretty simple to reproduce, i just created a base MAUI project and replaced the MainPage.xaml.cs content with the following code :
Note that I followed the docs here
Expected behavior
set the apiReached bool value to true
Actual behavior
I'm stuck with the following exception on the client.GetAsync method :
Javax.Net.Ssl.SSLPeerUnverifiedException: Hostname 10.0.2.2 not verified
Regression?
No response
Known Workarounds
No response
Configuration
No response
Other information
When I set an url value targetting an external public API like "https://httpbin.org/get", it works like a charm.
I guess the problem comes from the Android Emulator using 10.0.2.2 to reach localhost, when the base dev-certificate only contain a localhost reference, but the InsecureHandler method should bypass this issue, no ?
The text was updated successfully, but these errors were encountered: