Rocket.chat.reactnative: [IMPROVEMENT] Support insecure servers

Created on 31 Oct 2019  ·  4Comments  ·  Source: RocketChat/Rocket.Chat.ReactNative

  • Your Rocket.Chat Experimental app version: whatever is on google play
  • Your Rocket.Chat server version: 2.2.0
  • Device (or Simulator) you're running with: samsung galaxy tab 3

The server is private for friends and family and isn't using https

The experimental client now says the url is invalid and it is not.

Unacceptable.

👍 improvement 🕵️ needs investigation

All 4 comments

Hi @LeeThompson , can you give me more info about your server?
Has subpath on url?
You're using explicit http:// on url?
What is your version? (You can find this on App Info)

I'll gather the additional data when I can (not near the device right now).

I used "http://" explicitly in the URL string. I'm also running RocketChat on port 3000 so http://[myrocketchatserver]:3000 There are no subpaths on the URL.

While I have a long-term goal to have reverse proxy setup for RocketChat with a self signed SSL certificate the ROOT_URL setting in RocketChat makes it an 'all or nothing' deal so I can't even do any testing. The last time I tried it, many things did not work properly (my internet facing web server is also IIS which isn't on the 'blessed' list for rocketchat).

I've been looking into having another docker container running nginx with reverse proxy for rocketchat but the various free SSL systems do not allow non standards ports so plan B isn't going very quickly either.

It would be nice if the clients would just allow http:// and non-standard ports and maybe just warn about security.

I don't think starting to support insecure servers is a bug.
If we think on implementing it would be a feature.
On iOS, Apple allows it only by adding an exception like this:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>localhost</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

We would have to figure out how to do that in runtime, since we would want to enable insecure calls only to the selected server.
Another option would be to enable it to any connections, but we need to implement it carefully.

Important
Always look for a way to avoid using exceptions as a first recourse. If you must use an exception, make it as limited in scope as possible.
https://developer.apple.com/documentation/security/preventing_insecure_network_connections

@LeeThompson Let me know if you want to help. Thanks.

I can help test (Android/Windows).

Was this page helpful?
0 / 5 - 0 ratings

Related issues

xuanduyrn picture xuanduyrn  ·  3Comments

Perflyst picture Perflyst  ·  5Comments

djnews24 picture djnews24  ·  4Comments

MatthiasHertel picture MatthiasHertel  ·  4Comments

mar-v picture mar-v  ·  3Comments