Search code examples
androidcordovassl-certificatecordova-pluginspinning

Cordova SSL pinning error 500: "There was an error with the request"

I'm trying to do SSL pinning with Cordova 5.3.3 and Android with the following plugin: https://github.com/wymsee/cordova-HTTP

When I enable the pinning with the following funcion and I do the GET it throws me an Error 500: "There was an error with the request". (All tests are done inside the android device using the inspector). 

window.cordovaHTTP.enableSSLPinning(
    true,
    function(res) {console.log("SSL pinning: " + res)},
    function(err) {console.log("SSL pinning: " + err)}
);

window.cordovaHTTP.get(
    "https://95.85.12.4/test.json",
    {}, // optional params
    {}, // optional headers
    function(res) {console.log(res)},
    function(err) {console.log(err)}
);

If I accept all certs everything works fine due the fact that I'm overlapping the configuration of the pinning.

window.cordovaHTTP.enableSSLPinning(
    true,
    function(res) {console.log("SSL pinning: " + res)},
    function(err) {console.log("SSL pinning: " + err)}
);

window.cordovaHTTP.acceptAllCerts(
    true,
    function(res) {console.log('Accept all certs: ' + res)},
    function(err) {console.log('Accept all certs: ' + err)}
);

window.cordovaHTTP.get(
    "https://95.85.12.4/test.json",
    {}, // optional params
    {}, // optional headers
    function(res) {console.log(res)},
    function(err) {console.log(err)}
);

I'm doing this tests in my server running NGINX. https://95.85.12.4/test.json

I white-listed everything (just for testing purposes) 

<!-- Enable all requests, inline styles, and eval() -->
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

I also set the debuggable variable into the AndroidManifest.xml to true.

<application android:debuggable="true">

My certificate is self-signed with DER format and .cer extension. I checked that the certificate is correct with openssl. If I install the certificate in my machine there's no problem opening the server URL with the browser.

The certificates are located into the /www/certificates folder inside my Cordova project. I also added the .cer insinde /platforms/android/assets.

Any idea?

Thanks!

Solution

  • The problem is not related to the certificate format. It is because of the IP address. You need to create a certificate with SubjectAltName (SAN) as described here if you are not using host name to send a request. You have to write the IP address as an alt_name. Otherwise you get a "Hostname xxx.xxx.xxx.xxx not verified" error.