HttpClient should honor user-installed certificates on Android

[brianquinlan]

See #48056 for context.

[brianquinlan]

I've been experimenting with moving Flutter to use package:http.

That would allow the user to use package:cronet_http, which does honor user-installed certificates.

There are two other approaches that I can think of to solve this:

1. use JNI to ask the OS to resolve the certificate
2. make certificate resolution the responsibility of the embedder (i.e. Flutter)

[berdroid]

That would allow the user to use package:cronet_http, which does honor user-installed certificates.

I think this will be problematic for people using Dart/Flutter on an embedded Android platform, that typically does not support Google Play Serives.

There are two other approaches that I can think of to solve this:

1. use JNI to ask the OS to resolve the certificate
2. make certificate resolution the responsibility of the embedder (i.e. Flutter)

Option 2 seems to be preferable as it opens up solutions for other platforms/emebedders.

[brianquinlan]

I started a discussing on this in the hackers-framework-🔩 Discussion. So far the feedback is that depending on package:http seems like a bad idea.

[brianquinlan]

It looks like there is only one common use case in Flutter where dart:io HttpClient is used: image display through Image.network.

It is very easy to replace this with package:cached_network_image, which uses package:http and can, therefore, be configured to use a native http client.

[brianquinlan]

I've updated the examples in cupertino_http and cronet_http to use package:cached_network_image.

At this point it should be possible to use those packages to with user-installed certificates.

[brianquinlan]

I wrote a design doc suggesting that we recommend package:http as an HTTP client. Feedback welcome!

[brianquinlan]

I presented this at the Dash forum. It's basically asking for feedback for the design doc. There seemed to be consensus so I'm moving forward on it.

[brianquinlan]

There is still work to do in terms of documentation but think that we already have a solution in place.

[r3a1d3a1]

This is also important in case of old Android versions not getting updated CA roots.
A savvy user could add newer roots manually, but flutter apps still wouldn't work.
Any timeline of when this will be completed?

[Kampe]

Would like to know if this is in the roadmap at all?

[dwarf-king-hreidmar]

Is there a bounty I can pay to get this feature? There are a few downstream apps that use your libraries and I'm running them completely offline. I don't want my passwords floating around on my wifi and I don't want to be exposed to man-in-the middle attacks because I have to turn off ssl verification on my apps. Why can't I trust my own installed CAs just like the device does? Happy to donate 100 bucks just point me where I can donate.

[spacekitteh]

There is still work to do in terms of documentation but think that we already have a solution in place.

@brianquinlan Is there any progress on this?

[dasRicardo]

Any progress?

[brianquinlan]

@spacekitteh @dasRicardo

I think that using package:cronet_http will solve your issue. Could you please try that?