Tasker 5.2 no longer trusts user certificates

[Ben Winslow]

Hi there!

Since updating to Tasker 5.2*, user CA certificates (i.e. CA certificates that have been manually added to the system and appear under system settings -> security (exact location varies) -> view security certificates -> user) are no longer honored when using the "HTTP <method>" network actions or XMLHttpRequest inside a JavaScript(let) action.

I believe this is due to the new release bumping targetSdk to 25 combined with the changes described in https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html (user certificates are no longer trusted by default for targetSdk >= 24).  I believe the solution is to add a networkSecurityConfig to the app manifest (https://developer.android.com/training/articles/security-config), and in the networkSecurityConfig xml use the snippet under "Trusting user-added CAs for all secure connections" in the Android developers blog post.

More details:

https requests using a certificate that's signed with a CA certificate that only exists in the user CA store behave as if the CA isn't found at all (the same behavior you'd expect for a self-signed certificate); for example, the error log from an "HTTP GET" action:

19.10.10/E prot: https:// serverport: <hostname>:443 contenttype: 

19.10.10/E method: GET url: https://<hostname>:443/foo timout: 10000 dataisfile false save null

19.10.10/WakeLockManager acquired partial lock for M flags: 1 autorelease: true warn: true

19.10.10/WakeLockManager setClearAlarm: not setting, last set 31ms ago

19.10.10/WakeLockManager setClearAlarm: not setting, last set 54ms ago

19.10.10/E body isfile: false cont: null

19.10.11/E Input/Output error for https://<hostname>:443/foo: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found..

19.10.11/E result: stop task (error)

19.10.11/E Error: 1

19.10.11/MacroEdit action finished exeID 1 action no 0 code 118 status: Err next 0

I could, of course, use the "Trust Any Certificate" option -- but this is insecure and doesn't help for the Javascript actions which are my primary use case.

Device: Samsung Galaxy S8 (stock OS)

Build fingerprint: 'samsung/dreamqlteue/dreamqlteue:8.0.0/R16NW/G950U1UES5CRF5:user/release-keys'

Tasker version: 5.2.bf1

* I'm not 100% sure this happened with 5.2, but that version makes the most sense based on the changelog and time of my last successful connection.  Incidentally, a variable with the Tasker version would be handy so that I can log it on the server side.  :)

Cheers,

-- 

Ben

[João Dias]

Hi, thank you very much for your report.

Can you please try this version? https://drive.google.com/file/d/1VVuK97CNhk-03otJwSmn8dX0T2jF7_jb/view?usp=sharing

Let me know how it works :) Thanks!

[Ben Winslow]

That did the trick!  Thank you very much! 

-- 

Ben

[João Dias]

Great :D Let me know if there are any side effects. Thanks!

--
You received this message because you are subscribed to the Google Groups "Tasker" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tasker+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/tasker.
For more options, visit https://groups.google.com/d/optout.

[Rijoy Bhaskaran]

So the work around is to us this version of app ? 

[João Dias]

This version is already in beta, so you can use that :)