[feat] ignore ssl certificate errors

[cars10]

Describe the problem

My app lets users connect to self-hosted services that often use self-signed or otherwise untrusted ssl certificates. I cannot access these services with tauri because of certificate errors.

Describe the solution you'd like

Ideal solution would be a prompt that lets users chose to trust the certificate. Another way would be how electron handles it, you can hook to a certificate-error event and ignore the errors, something like this:

// SSL/TSL: this is the self signed certificate support
app.on('certificate-error', (event, webContents, url, error, certificate, callback) => {
    // On certificate error we disable default behaviour (stop loading the page)
    // and we then say "it is all fine - true" to the callback
    event.preventDefault();
    callback(true);
});

source

Alternatives considered

Even a command line flag like chromiums --ignore-certificate-errors would be helpful.

Additional context

No response

[FabianLars]

idk about webkit*, but WebView2 literally just added an experimental api for this in a recent pre-release SDK so we would have to wait for that to stabilize first :/

* afaik webkitgtk has an api for that too, but i didn't find anything for macOS.

[cars10]

Oh wow, i did not expect missing support in the underlying frameworks. Guess i have to use electron for now.. Thanks!

[JonasKruckenberg]

I would consider using a rust http client, like reqwest if you can. This would allow you to, instead of ignoring ssl errors, provide a custom root certificate that would be compatible with the self signed certs. So you're significantly reducing the attack surface with self signed certificates.

[cars10]

I currently use vuejs and make requests via browser fetch. So just to make sure, you are basically thinking about:

• write a rust component that exposes a fetch-like interface and uses (for example) reqwest under the hood. this component should ignore/handle ssl errors
• use this component in my vuejs app to make requests when packaging for tauri. rust/js communication could work like this: https://tauri.studio/docs/guides/command
• this would result in http requests being sent from the rust side (tauri process) and only the response getting passed to the frontend

Or did i misunderstand something?

[JonasKruckenberg]

You got that right yeah! You can write some nicer JS abstraction on top of invoke that replicates the same interface fetch has, so you wouldn't even have to change your current code much

[lucasfernog]

That is one of the disable-security requests we get oftenly but aren't planning on implementing anytime soon. Maybe we reconsider when we have more control over the webview.

[cars10]

Yea i get that, no worries :)
Just for future readers, the idea proposed by @JonasKruckenberg works as expected. Thanks!

[ahmadfebrianto]

Yea i get that, no worries :) Just for future readers, the idea proposed by @JonasKruckenberg works as expected. Thanks!

Can you please share the example code?

[BigBaBei]

I want same feature, but for now i have to use electron. Is there any progress?

[liudonghua123]

Maybe the http client used in tauri is attohttpc and reqwest.

https://github.com/tauri-apps/tauri/blob/dev/core/tauri/src/api/http.rs#L136

And .danger_accept_invalid_certs(true) can use to bypass attohttpc/reqwest tls verfification.

https://github.com/sbstp/attohttpc/blob/3fe9967ee83258c8a5012736f07c8111e642ee69/tests/test_invalid_certs.rs#L12-L26

seanmonstar/reqwest#182 (comment)

seanmonstar/reqwest#1210 (comment)

[andrewpedia]

Maybe the http client used in tauri is attohttpc and reqwest.

https://github.com/tauri-apps/tauri/blob/dev/core/tauri/src/api/http.rs#L136

And .danger_accept_invalid_certs(true) can use to bypass attohttpc/reqwest tls verfification.

https://github.com/sbstp/attohttpc/blob/3fe9967ee83258c8a5012736f07c8111e642ee69/tests/test_invalid_certs.rs#L12-L26

seanmonstar/reqwest#182 (comment)

seanmonstar/reqwest#1210 (comment)

have you tried this

[igdswzcd]

Maybe the http client used in tauri is attohttpc and reqwest.
https://github.com/tauri-apps/tauri/blob/dev/core/tauri/src/api/http.rs#L136
And .danger_accept_invalid_certs(true) can use to bypass attohttpc/reqwest tls verfification.
https://github.com/sbstp/attohttpc/blob/3fe9967ee83258c8a5012736f07c8111e642ee69/tests/test_invalid_certs.rs#L12-L26
seanmonstar/reqwest#182 (comment)
seanmonstar/reqwest#1210 (comment)

have you tried this

Windows 10 + tauri 1.3.0
I have already tried and it works! My Steps:

• Modify tauri's http.rs in .cargo (C:/Users/**/.cargo/registry/src/**/tauri-1.3.0/src/api/http.rs), add one line just under line:136

// line:136
let mut request_builder = attohttpc::RequestBuilder::try_new(method, &request.url)?;
// after change
let mut request_builder = attohttpc::RequestBuilder::try_new(method, &request.url)?;
request_builder = request_builder.danger_accept_invalid_certs(true);

• Delete target/* in your project to recompile changes
• ReBuild your project

Finally you will find that you can use ClientBuilder and HttpRequestBuilder to access https apis under a self-signed certificate.

[liudonghua123]

Maybe the http client used in tauri is attohttpc and reqwest.
https://github.com/tauri-apps/tauri/blob/dev/core/tauri/src/api/http.rs#L136
And .danger_accept_invalid_certs(true) can use to bypass attohttpc/reqwest tls verfification.
https://github.com/sbstp/attohttpc/blob/3fe9967ee83258c8a5012736f07c8111e642ee69/tests/test_invalid_certs.rs#L12-L26
seanmonstar/reqwest#182 (comment)
seanmonstar/reqwest#1210 (comment)

have you tried this

Windows 10 + tauri 1.3.0 I have already tried and it works! My Steps:

• Modify tauri's http.rs in .cargo (C:/Users/**/.cargo/registry/src/**/tauri-1.3.0/src/api/http.rs), add one line just under line:136

// line:136
let mut request_builder = attohttpc::RequestBuilder::try_new(method, &request.url)?;
// after change
let mut request_builder = attohttpc::RequestBuilder::try_new(method, &request.url)?;
request_builder = request_builder.danger_accept_invalid_certs(true);

• Delete target/* in your project to recompile changes
• ReBuild your project

Finally you will find that you can use ClientBuilder and HttpRequestBuilder to access https apis under a self-signed certificate.

It seems the request_builder has changed in new version, for 1.x, it use reqwest::Client instead of attohttpc::RequestBuilder.

tauri/core/tauri/src/api/http.rs

Line 103 in cc3d8e7

let mut request_builder = self.0.request(method, request.url.as_str());

tauri/core/tauri/src/api/http.rs

Line 136 in 7fd4ca0

let mut request_builder = attohttpc::RequestBuilder::try_new(method, &request.url)?;

And for dev/2.x, the code may migrated to new repo which use reqwest::ClientBuilder. See also https://tauri.app/v1/api/js/http/, https://beta.tauri.app/features/http-client/.

https://github.com/tauri-apps/tauri-plugin-http/blob/abeeedc1b24dd456a76aae6bc4f33d2ef3f72bbf/src/commands.rs#L152

So maybe we should search similar solution like attohttpc::RequestBuilder.danger_accept_invalid_certs for reqwest.

And I also found reqwest also provide danger_accept_invalid_certs. See also seanmonstar/reqwest#182 (comment).

[realtebo]

Under the hood, chromium allows flag to disable verification of certificates and also to allow fetching http resoureces.

We are in the main and vital need to connect to a local odata provider using http and we are stalled

[FabianLars]

@realtebo Just to be sure, are you really talking about http or do you mean https? For http certificates should not matter, no?

If it's http, you're using tauri v1, and you're dealing with mixed-content errors (windows only) then try this setting https://v1.tauri.app/v1/api/config/#securityconfig.dangeroususehttpscheme - if not then we'll need more info.