In a localhost environment how to set DatasyncClient to bypass SSL validation

[ideas2appsaustralia]

During development of a MAUI app using DatasyncClient I need to hit controllers on a WebAPI on localhost. I am getting an error "java.security.cert.CertPathValidatorException: Trust anchor for certification path not found". This error seems to be well covered on stackoverflow. To test the solution I create a new HttpClient and set handler in a HtpMessageHandler an AndroidMessageHandlers ServerCertificateCustomValidationCallback = (httpRequestMessage, certificate, chain, sslPolicyErrors) => certificate?.Issuer == "CN=localhost" || sslPolicyErrors == SslPolicyErrors.None

This works and I can hit the WebAPI controller and return data.

I have tried to do a similar thing for DatasyncClient via a DelegatingHandler and have not been successful in avoiding the above java.security.cert.CertPathValidatorException error.

This is the code I have tried. I suspect that I am not correctly setting the ServerCertificateCustomValidationCallback on Datasynclient. Any suggestions would be greatly appreciated.

public OfflineService(IAuthenticationService authenticationService, IDialogService dialogService, IPlatformHttpMessageHandler androidMessageHandler)
{
    this.authenticationService = authenticationService;
    this.dialogService = dialogService;
    this.androidMessageHandler = androidMessageHandler;
}

var options = new DatasyncClientOptions
{
    HttpPipeline = new DelegatingHandler[]
    {
	new UserApiAuthenticationHandler(authenticationService),
	new TurnOffSSLHandler(androidMessageHandler),
        new LoggingHandler()
    },
    OfflineStore = store
};

// Initialize the client.
client = new DatasyncClient(Constants.BackendUrl, options);

public class TurnOffSSLHandler : DelegatingHandler
{

    public TurnOffSSLHandler(IPlatformHttpMessageHandler platformHttpMessageHandler)
    {
        InnerHandler = platformHttpMessageHandler.GetHttpMessageHandler();
    }

    protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {

        // Delegate the call to the inner handler
        return await base.SendAsync(request, cancellationToken);
    }
}

public class AndroidHttpMessageHandler : IPlatformHttpMessageHandler
{
    public HttpMessageHandler GetHttpMessageHandler() =>
        new AndroidMessageHandler
        {
            ServerCertificateCustomValidationCallback = (httpRequestMessage, certificate, chain, sslPolicyErrors) => certificate?.Issuer == "CN=localhost" || sslPolicyErrors == SslPolicyErrors.None
        };

}

[Arslan007]

I am setting like this in MAUI for my iOS app and it works

new DatasyncClientOptions
        {
            OfflineStore = provider.GetService<OfflineSQLiteStore>(),
            HttpPipeline = new HttpMessageHandler[]
            {
                new LoggingHttpMessageHandler(provider.GetService<ILogger<HttpClient>>()),
#if DEBUG && IOS
                new NSUrlSessionHandler
                {
                    TrustOverrideForUrl = AllowSelfSignedCertOnLocal
                }
#endif
            },
            TableEndpointResolver = (table) =>
            {
                // Set Your URI
            },
            ParallelOperations = DatasyncClientOptions.MAX_PARALLEL_OPERATIONS,
        };

[Arslan007]

You can do something like this for platform specific checks and set the httppipeline in DataSyncClientOptions
I havent tested this code but in principle it should work

        public HttpMessageHandler GetPlatformMessageHandler()
        {
#if ANDROID
            var handler = new CustomAndroidMessageHandler();
            handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
            {
                if (cert != null && cert.Issuer.Equals("CN=localhost"))
                    return true;
                return errors == System.Net.Security.SslPolicyErrors.None;
            };
            return handler;
#elif IOS
            var handler = new NSUrlSessionHandler
            {
                TrustOverrideForUrl = IsHttpsApiUrl
            };
            return handler;
#else
     throw new PlatformNotSupportedException("Only Android and iOS supported.");
#endif
        }

#if ANDROID
        internal sealed class CustomAndroidMessageHandler : Xamarin.Android.Net.AndroidMessageHandler
        {
            protected override Javax.Net.Ssl.IHostnameVerifier GetSSLHostnameVerifier(Javax.Net.Ssl.HttpsURLConnection connection)
                => new CustomHostnameVerifier();

            private sealed class CustomHostnameVerifier : Java.Lang.Object, Javax.Net.Ssl.IHostnameVerifier
            {
                public bool Verify(string hostname, Javax.Net.Ssl.ISSLSession session)
                {
                    return Javax.Net.Ssl.HttpsURLConnection.DefaultHostnameVerifier.Verify(hostname, session) ||
                        hostname == "10.0.2.2" && session.PeerPrincipal?.Name == "CN=localhost";
                }
            }
        }
#elif IOS

        public bool IsHttpsApiUrl(object sender, string url, object trust)
        {
            if (url.StartsWith(apiUrl))
                return true;
            return false;
        }

#endif

[ideas2appsaustralia]

Hi @Arslan007 thanks for your response. I have incorporated your suggestion into my code which is below. I now get a HTTP 400 Bad Request. I cannot find errors in my url though. I will keep trying things with the url, but I am still not sure whether I have set the ServerCertificateCustomValidationCallback because when I look into the HttpPipeline using a breakpoint I see that in the TurnOffSSLHandler class InnerHandler the ServerCertificateCustomValidationCallback field is "null".

Should it be null or should it either be set to "true" or contain the code to bypass?

Here is a png of it.

Well below is my code Im using. Ive only shown for Android. I use an interface so I can place the platform specific code you gave me in the platform folders.

Can you see if it should work and set ServerCertificateCustomValidationCallback correctly?

public class OfflineService : IOfflineService
{
private readonly IPlatformHttpMessageHandler platformHttpMessageHandler;

public OfflineService(IAuthenticationService authenticationService, IDialogService dialogService, IPlatformHttpMessageHandler platformHttpMessageHandler)
{
    this.authenticationService = authenticationService;
    this.dialogService = dialogService;
    this.platformHttpMessageHandler = platformHttpMessageHandler;
}

.....

var options = new DatasyncClientOptions
{
    HttpPipeline = new DelegatingHandler[]
    {
	new UserApiAuthenticationHandler(authenticationService),
	new TurnOffSSLHandler(platformHttpMessageHandler),
        new LoggingHandler()
    },
    OfflineStore = store
};

// Initialize the client.
client = new DatasyncClient(Constants.BackendUrl, options);

.....

}

public class TurnOffSSLHandler : DelegatingHandler
{
    private readonly IPlatformHttpMessageHandler platformHttpMessageHandler;

    public TurnOffSSLHandler(IPlatformHttpMessageHandler platformHttpMessageHandler)
    {
        this.platformHttpMessageHandler = platformHttpMessageHandler;
    }

    protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        InnerHandler = platformHttpMessageHandler.SetHttpMessageHandler();
        // Delegate the call to the inner handler
        return await base.SendAsync(request, cancellationToken);
    }
}

public interface IPlatformHttpMessageHandler
{
    HttpMessageHandler SetHttpMessageHandler();
}

public class AndroidHttpMessageHandler : IPlatformHttpMessageHandler
{
    public HttpMessageHandler SetHttpMessageHandler()
    {
        var handler = new CustomAndroidMessageHandler();
        handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
        {
            if (cert != null && cert.Issuer.Equals("CN=localhost"))
                return true;
            return errors == SslPolicyErrors.None;
        };
        return handler;
    }

    internal sealed class CustomAndroidMessageHandler : AndroidMessageHandler
    {
        protected override Javax.Net.Ssl.IHostnameVerifier GetSSLHostnameVerifier(Javax.Net.Ssl.HttpsURLConnection connection)
            => new CustomHostnameVerifier();

        private sealed class CustomHostnameVerifier : Java.Lang.Object, Javax.Net.Ssl.IHostnameVerifier
        {
            public bool Verify(string hostname, Javax.Net.Ssl.ISSLSession session)
            {
                return Javax.Net.Ssl.HttpsURLConnection.DefaultHostnameVerifier.Verify(hostname, session) ||
                    hostname == "10.0.2.2" && session.PeerPrincipal?.Name == "CN=localhost";
            }
        }
    }
}

[adrianhall]

You need to create a new HttpClientHandler that automatically sets the ServerCertificateCustomValidationCallback to always return true.

Then pass that into the DatasyncClientOptions as the last thing in the HttpPipeline.

[ideas2appsaustralia]

@adrianhall ,I have worked off a HttpClientHandler and put it in last place in pipeline. I can now see the Func<> code in the ServerCertificateCustomValidationCallback value in the offlinetable object.

I am now longer get "java.security.cert.CertPathValidatorException: Trust anchor for certification path not found". errors.

I am not back to the http 400 bad request hostname is invalid error.

@adrianhall where can I see the path of my uri that datasync offlineTable.PullItemsAsync("",options) will use to request to APIs controller?

In offlineTable the Endpoint is https://10.0.2.2:44388/

the API controller has [Route("tables/[controller]")] and Controller name is "MobileBillController" and just [HttpPost]

The RequestHeader I get back has RequestUri has AsbolutePath="/" and absoluteUri = "https://10.0.2.2:44388/" .

I thought I'd see "https://10.0.2.2:44388/tables/mobilebill" somewhere?

[adrianhall]

Two methods you can use for this.

1. Client side - add a LoggingHandler that prints out the request/response objects. Put it right before the client handler in the pipeline. There is an example of this in the documentation.

2. Server side - add a Logging middleware to your ASP.NET Core application to see what it is receiving. This Stack Overflow answer: https://stackoverflow.com/questions/45479094/how-to-auto-log-every-request-in-net-core-webapi shows the basics.

[ideas2appsaustralia]

@adrianhall and @Arslan007 thanks for the help. I had some lines of code that was resetting my uri in one of the delegatinghandlers

thanks for the helpon servercertificatevalidation

[richard-einfinity]

Not sure if this is allowed but we use ngrok which avoids additional code to handle this scenario in the mobile app. It also gives you a local portal to inspect the requests being sent back and forth. I'm not affiliated to ngrok, I just found it really handy in this scenario. I appreciate it might not be possible in some dev environments.

[adrianhall]

tunnels (and ngrok) are super useful in client-server mobile development - highly recommend. However, they come with their own security concerns, so may not be for everyone.

[henda79]

ngrok used to work well for me but recently its giving SSL errors itself so I've started using MS tunnels.

ngrok gives a NET::ERR_CERT_AUTHORITY_INVALID in browser.