Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Android] User root CAs ignored when downloading remote rulesets #2433

Open
4 of 5 tasks
KirillAldashkin opened this issue Jan 3, 2025 · 1 comment
Open
4 of 5 tasks

[Android] User root CAs ignored when downloading remote rulesets #2433

KirillAldashkin opened this issue Jan 3, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@KirillAldashkin
Copy link

KirillAldashkin commented Jan 3, 2025
edited
Loading

Operating system

Android

System version

Android 14

Installation type

sing-box for Android Graphical Client

If you are using a graphical client, please provide the version of the client.

1.11.0-beta.19

Version

No response

Description

Android client does not respect user installed root CAs when downloading remote rulesets.
I have ensured that root CA is valid: sing-box CLI client for Windows successfully connects to a server
And is correclty imported system-wise: another android apps (eg. Chrome) can open url to rule set file

Reproduction

  1. Create a root CA and a server certificate signed by it using OpenSSL
  2. Get root CA file on an Android device and server certificates on a server.
  3. Prepare a server:
    • Install nginx (eg. sudo apt install nginx)
    • Peplace it's configuration file (eg. /etc/nginx/nginx.conf) with a one provided below
    • Restart server: nginx -s reload
  4. Install root CA on Android device:
    • Settings → Security and privacy → Advanced settings → Credential storage → Install certificates from file → Root CA
    • Dismiss warning message and enter password/fingerprint/etc.
    • Browse and install root CA file
  5. In Android client, add an config.json profile
  6. Try to start it

Expected behaviour

Get some error related to HTTP status code 404

Actual behaviour

Get an error

Working config for an Windows CLI client:

It has an expected behaviour - reporting an HTTP 404 error

Files:

config.json

{
  "log": {
    "level": "trace"
  },
  "route": {
    "rule_set": [
      {
        "tag": "rule",
        "type": "remote",
        "format": "source",
        "url": "https://******/ruleset.json"
      }
    ]
  }
}

nginx.conf

events {
  worker_connections 1024;
}
http {
  server {
    listen 443 ssl;
    ssl_certificate PATH_TO/PUBLIC.crt;
    ssl_certificate_key PATH_TO/PRIVATE.key;
    ssl_protocols TLSv1.2 TLSv1.3;
  }
}

Logs

My Android device does not have an SD card and, thereof, an /sdcard/* path and I couldn't find any other path where application logs could be located

Logs from sing-box CLI for the same config.json (expected behaviour for provivded reproduction):

INFO[0000] router: updated default interface Беспроводная сеть, index 17
DEBUG[0000] router: updating rule-set rule_direct from URL: https://******/ruleset.json
INFO[0000] outbound/direct: outbound connection to ******
FATAL[0000] start service: initialize rule-set[0]: initial rule-set: rule_direct: unexpected status: 404 Not Found

Supporter

Integrity requirements

  • I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
  • I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
  • I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
  • I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
@KirillAldashkin KirillAldashkin changed the title [Android] User root CAs ignored when downloading remove rulesets [Android] User root CAs ignored when downloading remote rulesets Jan 3, 2025
@nekohasekai nekohasekai added from end user An end user is asking a developer to fix their problem for free bug Something isn't working and removed from end user An end user is asking a developer to fix their problem for free labels Jan 9, 2025
@dyhkwong
Copy link
Contributor

Installing a user trusted CA does not mean that other apps will transparently make use of your installed CA. Most apps only recognized system trusted CAs (by design of Android). In most cases (e.g. ads removal via MiTM), you need to root your device and install some "modules" to move the user trusted CA files to /apex/com.android.conscrypt/cacerts (Android 14+) or /system/etc/security/cacerts. Even if some apps can workaround this by writing some extra code, it is not the fault of those apps.

Golang once added /data/misc/keychain/certs-added for certificate retrieval but it does not work at all. On Android 5+, user trusted CA folder is /data/misc/user/[user id]/cacerts-added. On Android 4.x, user trusted CA folder is /data/misc/keychain/cacerts-added, not /data/misc/keychain/certs-added. See golang/go#71258 for more details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dyhkwong @KirillAldashkin @nekohasekai