Opened 5 years ago

Closed 3 years ago

#232 closed enhancement (fixed)

Loose SSL Handling

Reported by: jb6262 Owned by: frsh
Priority: major Milestone: 2.8
Component: Add Blog/Site Version: 2.8
Keywords: Cc: vbonline, koke, tpepper, daniloercoli, vernons

Description

“It would be a nice feature for the application to have a setting to accept and remember a self-signed SSL Certs
I’m putting in for next release (1.5) but feel free to change if necessary…

===
When adding a new blog if the user enters https:// or http:// in the blog URL I suspect the app is either stripping it out or just ignoring it. For http:// that isn’t a problem, but it should notice if it is https:// and only do SSL requests for the needed info.
===

Attachments (1)

IMG_0843.PNG (121.9 KB) - added by davidolrik 5 years ago.

Download all attachments as: .zip

Change History (25)

Changed 5 years ago by davidolrik

comment:1 Changed 5 years ago by davidolrik

  • Priority changed from minor to blocker
  • Version set to 2.0

In the version 2.0 it is not possible to add a self hosted blog with a self signed SSL certificate. This renders the application useless for everyone that has a self signed certificate.

Is it possible that this could be bumped to the 2.0.1 release?

comment:2 Changed 5 years ago by alexkingorg

This sounds like the situation I ran into as well:

http://iphone.forums.wordpress.org/topic/unable-to-find-xml-rpc-endpoint-self-signed-ssl-cert-wp-login-protected-site#post-1406

Perhaps an "advanced" setting to let us enter the exact XML-RPC endpoint URL would be a good work-around for this and other edge-case issues?

comment:3 Changed 5 years ago by iammattthomas

  • Milestone changed from Next Release to 2.1
  • Priority changed from blocker to major

The scope of 2.0.1 will be way smaller than this, but it could be a good candidate for 2.1. Tentatively setting the milestone for 2.1 but this will be dependent on what it entails.

comment:4 Changed 5 years ago by jeffstieler

It looks like there are a couple of ways of solving this:

The easiest, but most risky is using the undocumented/private setAllowsAnyHTTPSCertificate:forHost: method of NSURLRequest, which could be overridden to either return YES (and allow any self-signed cert) or check the host against a whitelist, which the user could enter.

Not as easy but not terribly difficult would be to use ASIHTTPRequest which has a setValidatesSecureCertificate: method.

If not using the two options listed, I believe you enter into the realm of CoreServices (CFHTTPMessageCreateRequest, etc)..

comment:5 Changed 5 years ago by jb6262

Hey Jeff - sounds like you've been thinking this one over... Would you like to take a shot at it?

comment:6 Changed 5 years ago by jeffstieler

Looking more into this, it seems that to do it the 'right' way (and likely use ASIHTTPRequest) will require a lot of work, and should probably be considered for it's own release.

Also, this would likely require redesign of the Add/Edit Blog screen - potentially adding the 'Advanced' settings menu option to hide things like these behind.

If there were plans to retool the network code in whatever release is focused on increasing performance, perhaps this item would be a good fit for that.

comment:7 Changed 5 years ago by iammattthomas

  • Milestone changed from 2.2 to Future Release

Thanks Jeff. I think we'll hold this until the next release, so we can get the new Comments stuff out faster.

comment:8 Changed 4 years ago by vbonline

  • Cc vbonline added

I run into this bug and saw it in tracked here. Some remarks:
.
1.) Fixing the fact, that the application is not being able to handle self-signed certificates properly is not an enhancement request, this is a bug!

2.) Having this open for eight month is a shame! To have it open since version 1.5 and not having this fixed in 2.4 even more so...

3.) Even if it needs a major redesign to fix this properly, you should come up with a fix in the meantime. Whitelisting a host as mentioned before by jeffstieler would be a workaround.

comment:9 Changed 4 years ago by koke

  • Cc koke added

I'd like to give it a try. Is someone already working on this?

comment:10 Changed 4 years ago by frsh

  • Milestone changed from Future Release to Bugfix Sprint
  • Owner set to frsh
  • Status changed from new to accepted
  • Type changed from enhancement to defect
  • Version changed from 2.0 to 2.6

comment:11 Changed 4 years ago by frsh

  • Milestone changed from Bugfix Sprint to Future Release
  • Version changed from 2.6 to 2.7

comment:12 Changed 4 years ago by frsh

  • Milestone changed from Future Release to Next Release
  • Priority changed from major to blocker

comment:13 Changed 4 years ago by frsh

  • Summary changed from SSL Handling by app to Loose SSL Handling

comment:14 Changed 4 years ago by frsh

  • Priority changed from blocker to major

comment:15 Changed 4 years ago by tpepper

  • Cc tpepper added

Any update? Is this being actively worked for 2.7 since it appears to be bumped from 2.6?

The Android WordPress app folks appear to have fixed this already...
http://android.forums.wordpress.org/topic/https-with-self-signed-certificate-does-not-work

comment:16 Changed 4 years ago by frsh

  • Type changed from defect to enhancement

comment:17 Changed 4 years ago by frsh

  • Version changed from 2.7 to 2.8

comment:18 Changed 4 years ago by frsh

  • Milestone changed from Next Release to 2.8

comment:19 Changed 4 years ago by daniloercoli

  • Cc daniloercoli added

i've done some tests and seems that adding the following code:

@implementation NSURLRequest(AllowAllCerts)

+ (BOOL) allowsAnyHTTPSCertificateForHost:(NSString *) host {

return YES;

}

@end

to the XMLRPCConnection implementation file will allow certificates from any host.

Overriding the allowsAnyHTTPSCertificateForHost: method is likely to cause AppStore to reject the application due to the use of a private API.

The switching to ASIHTTPRequest Lib doesn't require a lot of work (supposing to change the the XMLRPC layer code only), but required a lot of testing, since that small change introduces a completely new connection layer.

comment:20 Changed 4 years ago by frsh

I have some ideas on how to implement this without adding any libraries or using private calls. I'll try some things this week. We're close on this one.

comment:21 Changed 4 years ago by JoostBaksteen

A workaround for this is installing the certificate in your iPhone.

If you e-mail the certificate, or open it in safari you can install it.

After installing the certificate it is trusted and you won't have any problems connecting to the site.

comment:22 Changed 4 years ago by vernons

  • Cc vernons added

+1 for getting this implemented.

comment:23 Changed 3 years ago by technimad

Thanks to the accepted patch in #635 it is now possible to add a blog with a self-signed certificate.

Not a complete fix, but giant journeys are best to be taken by small steps.

comment:24 Changed 3 years ago by koke

  • Resolution set to fixed
  • Status changed from accepted to closed

This should be working since 2.7

Note: See TracTickets for help on using tickets.