Support user CA installed system-wide about waterfly-iii HOT 6 OPEN

For the custom certificate, you need to paste the actual client certification, not the CA one (of course if the client certificate rotates frequently, that's annoying). If that doesn't work please let me know!

Nonetheless, the request is valid and I'll have to check how to make flutter do it!

from waterfly-iii.

Looks like this is currently not properly supported by dart itself, see dart-lang/sdk#50435

For now I hesitate to use https://pub.dev/packages/cronet_http_embedded due to the experimental status. Hope it will get properly integrated into dart/flutter soon.

from waterfly-iii.

Hello, I tried to enter my PEM multiple ways. My setup is 1. Root CA 2. Intermediate CA and 3. Endpoint Certificate for my firefly webserver. (traefik). It's not clear to me what to insert as the certificate on the android app. Is it the public key of the (3. Endpoint Certificate)? I tried chaining the PEM certs together (1. 2. and 3.)

On a side note. It would be nice to be able to set the certificate (private+public key) for the android app waterfly. This is so that the server would check the cert and verify the client is an authorized device. I don't want to allow any connections to my server that aren't authorized with my cert. Traefik web proxy allows for client authentication.

from waterfly-iii.

Hi, you need to use the actual server certificate.

Using a client certificate has been requested in #75. Please note that those tickets don't have the highest priority for me (though I'm always happy if someone wants to help out!) as even the Firefly dev mentioned multiple times that the API endpoint (/api/) doesn't need to be protected - you can't do anything without API key there.

from waterfly-iii.

I implemented this feature by using the cronet http library in v1.0.3, but forgot a crucial setting to actually allow user CA certificates. I could reimplement this feature now properly for the next version.

However, I also now found a post by the Author of the cronet implementation in dart that custom SSL certificates will never work.

So now it can be either or - allow custom server certificates to be pasted in the app (like right now), or you need to upload it into the android system. As far as I understood it, only CA certificates can be uploaded into the android certificate storage (whereas right now you need to paste the server certificate), and not sure if everyone using custom certificates would know how to do that.

Any opinions here? Any good guide I could point users to when they are asking? I guess it depends a ton on their individual setup of reverse proxy etc..

from waterfly-iii.

@dreautall I think that using the local trust store with a vetted verification process is ideal. It more closely follows best practices for a custom PKI - or any PKI in general.
I don't think that handling the intricacies of SSL should be Waterfly III's problem to solve.

In regards to guides for installing a CA on the device, it kind of depends on the OS/UI that is installed for each device. There's not really a "one size fits all" guide to it and it's more of a "RTFM" situation.
Generally, the advice is to first download the root CA certificate (or the self-signed server certificate) as a .pem file, then either:

• Navigate to it in the device file browser and tap/click to open it. Proceed through the dialogs to install it as a CA.
• Go to the device settings and navigate to (something like): Security and privacy > More security settings > Credential storage > Install from device storage. Proceed through the dialogs to install it as a CA.

from waterfly-iii.