immich/mobile/lib/utils/http_ssl_cert_override.dart

import 'dart:io';

import 'package:logging/logging.dart';

class HttpSSLCertOverride extends HttpOverrides {
  static final Logger _log = Logger("HttpSSLCertOverride");
  final bool _allowSelfSignedSSLCert;
  final String? _serverHost;

  HttpSSLCertOverride(this._allowSelfSignedSSLCert, this._serverHost);

  @override
  HttpClient createHttpClient(SecurityContext? context) {
    // Use system trust store with trusted roots if no client certificate is provided
    context = SecurityContext(withTrustedRoots: true);

    return super.createHttpClient(context)
      ..badCertificateCallback = (X509Certificate cert, String host, int port) {
        if (_allowSelfSignedSSLCert) {
          // Conduct server host checks if user is logged in to avoid making
          // insecure SSL connections to services that are not the immich server.
          if (_serverHost == null || _serverHost.contains(host)) {
            return true;
          }
        }
        _log.severe("Invalid SSL certificate for $host:$port");
        return false;
      };
  }
}
feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 10:51:43 -04:00			`import 'dart:io';`
refactor(mobile): move store settings and store into domain folder (#16201) Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com> 2025-02-20 00:57:32 +05:30
feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 10:51:43 -04:00			`import 'package:logging/logging.dart';`

			`class HttpSSLCertOverride extends HttpOverrides {`
feat(mobile): Adding setting in mobile app to TLS client certificate (#10860) * feat(mobile): Adding setting in mobile app to import TLS client certificate and private key * Formating dart source code to pass dart format test * Adding missed required trailing commas to pass dart static analysis * update lock file * variable names --------- Co-authored-by: Yun Jiang <yjiang@roku.com> Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2024-07-26 14:59:02 +01:00			`static final Logger _log = Logger("HttpSSLCertOverride");`
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403) * Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-08 15:45:11 +02:00			`final bool _allowSelfSignedSSLCert;`
			`final String? _serverHost;`
feat(mobile): Adding setting in mobile app to TLS client certificate (#10860) * feat(mobile): Adding setting in mobile app to import TLS client certificate and private key * Formating dart source code to pass dart format test * Adding missed required trailing commas to pass dart static analysis * update lock file * variable names --------- Co-authored-by: Yun Jiang <yjiang@roku.com> Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2024-07-26 14:59:02 +01:00
feat: use OkHttp and fix mTLS (#15230) 2025-10-08 13:55:04 +02:00			`HttpSSLCertOverride(this._allowSelfSignedSSLCert, this._serverHost);`
feat(mobile): Adding setting in mobile app to TLS client certificate (#10860) * feat(mobile): Adding setting in mobile app to import TLS client certificate and private key * Formating dart source code to pass dart format test * Adding missed required trailing commas to pass dart static analysis * update lock file * variable names --------- Co-authored-by: Yun Jiang <yjiang@roku.com> Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2024-07-26 14:59:02 +01:00
feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 10:51:43 -04:00			`@override`
			`HttpClient createHttpClient(SecurityContext? context) {`
feat: use OkHttp and fix mTLS (#15230) 2025-10-08 13:55:04 +02:00			`// Use system trust store with trusted roots if no client certificate is provided`
			`context = SecurityContext(withTrustedRoots: true);`
feat(mobile): Adding setting in mobile app to TLS client certificate (#10860) * feat(mobile): Adding setting in mobile app to import TLS client certificate and private key * Formating dart source code to pass dart format test * Adding missed required trailing commas to pass dart static analysis * update lock file * variable names --------- Co-authored-by: Yun Jiang <yjiang@roku.com> Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2024-07-26 14:59:02 +01:00
feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 10:51:43 -04:00			`return super.createHttpClient(context)`
			`..badCertificateCallback = (X509Certificate cert, String host, int port) {`
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403) * Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-08 15:45:11 +02:00			`if (_allowSelfSignedSSLCert) {`
			`// Conduct server host checks if user is logged in to avoid making`
			`// insecure SSL connections to services that are not the immich server.`
			`if (_serverHost == null \|\| _serverHost.contains(host)) {`
			`return true;`
			`}`
feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 10:51:43 -04:00			`}`
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403) * Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-08 15:45:11 +02:00			`_log.severe("Invalid SSL certificate for $host:$port");`
			`return false;`
feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 10:51:43 -04:00			`};`
			`}`
			`}`