Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Impossible to use HTTPS with server on local network (IoT device) that has an intermediate certificate #59948

Open
spkersten opened this issue Jan 21, 2025 · 2 comments
Open

Impossible to use HTTPS with server on local network (IoT device) that has an intermediate certificate #59948

spkersten opened this issue Jan 21, 2025 · 2 comments
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. library-_http triage-automation See https://github.com/dart-lang/ecosystem/tree/main/pkgs/sdk_triage_bot. type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)

Comments

@spkersten
Copy link
Contributor

spkersten commented Jan 21, 2025
edited
Loading

We want to connect to our IoT device that is on the local network with HTTPS. It has a leaf certificate and an intermediate certificate. The latter is signed by our root certificate. The CN of the leaf is the id of the device. Dart's HttpClient with the root set via SecurityContext.setTrustedCertificatesBytes cannot connect to the device, as the hostname we connect to (an IP) does not match the CN (the device's id). We have not control over the hostname on a local network, but HttpClient doesn't seem to offer a way to customise checking of the common name.

Using HttpClient.badCertificateCallback doesn't work either as it is only called with the intermediate certificate.

Related issues:
#49088
#39425

Sample code below. It can use used with a server on the local network using the attached certificates and key.

Actual

With the badCertificateCallback commented out, the request fails (as it should). With the callback, the output will show it is called with the intermediate certificate.

Expected

Either the intermediate certificate should be checked by Dart and the callback called with the leaf certificate (or perhaps the whole chain).

Or there should be some mechanism to modify checking of the common name.

cert-chain-and-key.zip

import 'dart:convert';
import 'dart:io';
import 'dart:typed_data';

void main() async {
  const rootPem = r"""-----BEGIN CERTIFICATE-----
MIIC+zCCAeOgAwIBAgIBATANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1yb290
YXV0aG9yaXR5MB4XDTE1MTAyNzEwMjYzNFoXDTI1MTAyNDEwMjYzNFowGDEWMBQG
A1UEAwwNcm9vdGF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMl+dcraUM/E7E6zl7+7hK9oUJYXJLnfiMtP/TRFVbH4+2aEN8vXzPbzKdR3
FfaHczXQTwnTCaYA4u4uSDvSOsFFEfxEwYORsdKmQEM8nGpVX2NVvKsMcGIhh8kh
ZwJfkMIOcAxmGIHGdMhF8VghonJ8uGiuqktxdfpARq0g3fqIjDHsF9/LpfshUfk9
wsRyTF0yr90U/dsfnE+u8l7GvVl8j2Zegp0sagAGtLaNv7tP17AibqEGg2yDBrBN
9r9ihe4CqMjx+Q2kQ2S9Gz2V2ReO/n6vm2VQxsPRB/lV/9jh7cUcS0/9mggLYrDy
cq1v7rLLQrWuxMz1E3gOhyCYJ38CAwEAAaNQME4wHQYDVR0OBBYEFHEPkNAdOa2k
MUoM6Ix/kUCLq99vMB8GA1UdIwQYMBaAFHEPkNAdOa2kMUoM6Ix/kUCLq99vMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABrhjnWC6b+z9Kw73C/niOwo
9sPdufjS6tb0sCwDjt3mjvE4NdNWt+/+ZOugW6dqtvqhtqZM1q0u9pJkNwIrqgFD
ZHcfNaf31G6Z2YE+Io7woTVw6fFobg/EFo+a/qwbvWL26McmiRL5yiSBjVjpX4a5
kdZ+aPQUCBaLrTWwlCDqzSVIULWUQvveRWbToMFKPNID58NtEpymAx3Pgir7YjV9
UnlU2l5vZrh1PTCqZxvC/IdRESUfW80LdHaeyizRUP+6vKxGgSz2MRuYINjbd6GO
hGiCpWlwziW2xLV1l2qSRLko2kIafLZP18N0ThM9zKbU5ps9NgFOf//wqSGtLaE=
-----END CERTIFICATE-----""";

  final context = SecurityContext();

  context.setTrustedCertificatesBytes(ascii.encode(rootPem));

  final http = HttpClient(context: context);
  // http.badCertificateCallback = (cert, host, port) {
  //   print("Issuer: ${cert.issuer}");
  //   print("subject: ${cert.subject}");
  //   print(cert.pem);
  //   return true;
  // };

  final request = await http.getUrl(Uri(host: "192.168.0.71", path: "/", scheme: "https"));
  final response = await request.close();

  print(await response.transform(utf8.decoder).join());
}
@dart-github-bot
Copy link
Collaborator

Summary: Dart's HttpClient fails to connect to an IoT device using HTTPS with an intermediate certificate because the hostname (IP) doesn't match the leaf certificate's Common Name. The badCertificateCallback doesn't solve this.

@dart-github-bot dart-github-bot added area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. triage-automation See https://github.com/dart-lang/ecosystem/tree/main/pkgs/sdk_triage_bot. type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) labels Jan 21, 2025
@mraleph
Copy link
Member

mraleph commented Jan 22, 2025

cc @brianquinlan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. library-_http triage-automation See https://github.com/dart-lang/ecosystem/tree/main/pkgs/sdk_triage_bot. type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mraleph @devoncarew @spkersten @dart-github-bot