capcom6/android-sms-gateway

Add Setting to Ignore HTTPS for Local Network Connections in Webhooks

Closed this issue · 7 comments

Hello, I am experiencing an issue with the /webhook function. I would like to connect to a local server, but it seems impossible to do so because HTTP connections are not allowed. I tried setting up an HTTPS server with a self-signed certificate, but that didn't work either.

Would it be possible to add an option to toggle this protection, or to disable it for local network connections?

Hello!

One of the main goals of the project is privacy. Therefore, HTTPS connections are required for all outgoing connections. Allowing insecure connections could potentially be misused by users, affecting privacy.

Additionally, Android from version 9 limits cleartext connections by default: https://developer.android.com/privacy-and-security/risks/cleartext-communications

For receiving webhooks, you can use self-signed certificates as described here: https://sms-gate.app/faq/webhooks/#how-to-use-webhooks-with-self-signed-certificate

I have plans to simplify the process of issuing self-signed certificates in the long term.

Hello, I created a certificate as instructed in the link, but it still doesn't work. In the application logs, there’s this error: "Webhook failed with retry: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found."

The certificate is properly installed.

Thank you.
Screenshot_20241107-180811

I can confirm using the methods described in the website (using the same server.conf with CN the IP of HTTPS server). I can confirm that the webhooks are indeed firing against the server with TCPdump.

Note: i have tried to use both a local dns name and the IP of the web server in the webhooks without luck.

Server is Apache

First, ensure that you have the correct certificates/keys in the appropriate locations. You can use curl to debug the connection.

Since the SSL connection itself is not part of the app, I can't provide assistance without fully understanding your server and phone configuration, particularly regarding network and SSL settings.

For a complete diagnosis, I need the following information:

  1. Webhook URL
  2. Contents of the server.cnf file used for certificate generation
  3. Names of generated certificates and keys
  4. Web server name/example code and configuration related to SSL
  5. Screenshot of the installed root certificate on the device
  6. Result of the curl command: curl -vv --cacert ca.crt https://your-webhook-url.com

If you prefer not to share this information here, you can contact me directly at support@sms-gate.app.

thank you for this quick response
Webhook URL: "https://192.168.1.94/sms"

server.cnf:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = California
L = Los Angeles
O = Internet Corporation for Assigned Names and Numbers
OU = IT Operations
CN = 192.168.1.94

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.1.94

Generated certificate and key names: ca.crt, ca.key, server.cnf, server.crt, server.scr, server.key

Server code:

import chalk from 'chalk';
import { config } from 'dotenv';
import express from 'express';
import fs from 'fs';
import https from 'https';
import { AddressInfo } from 'net';
import Switchboard from './Switchboard';
import { IsPhoneNumber } from './tools/tools';

config();
const app = express();
app.use(express.json());

const switchboard = new Switchboard();

const options = {
	key: fs.readFileSync('server.key'),
	cert: fs.readFileSync('server.crt')
};

const server = https.createServer(options, app);

server.listen(443, () => {
	console.log('Listening on port ' + (server.address() as AddressInfo).port);
});

app.post('/sms', (req, res) => {
	const smsData = req.body;

	console.log('SMS received:', smsData);

	const message = smsData.message;
	const sender = smsData.from;

	console.log(`Message from ${sender}: ${message}`);

	res.sendStatus(200);
});

signal-2024-11-08-214801_003
signal-2024-11-08-214801_002

result of curl command:

$ curl -vv --cacert ca.crt https://192.168.1.94
21:53:48.313540 [0-0] * [HTTPS-CONNECT] added
21:53:48.315816 [0-0] * [HTTPS-CONNECT] connect, init
21:53:48.317118 [0-0] * [HTTPS-CONNECT] connect, check h21
21:53:48.318911 [0-0] *   Trying 192.168.1.94:443...
21:53:48.320501 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:53:48.321992 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
21:53:48.323402 [0-0] * [HTTPS-CONNECT] connect, check h21
21:53:48.324924 [0-0] * schannel: disabled automatic use of client certificate
21:53:48.328596 [0-0] * schannel: using IP address, SNI is not supported by OS.
21:53:48.331727 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:53:48.333182 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
21:53:48.334598 [0-0] * [HTTPS-CONNECT] connect, check h21
21:53:48.338711 [0-0] * schannel: added 1 certificate(s) from CA file 'ca.crt'
21:53:48.350110 [0-0] * schannel: connection hostname (192.168.1.94) validated against certificate name (192.168.1.94)
21:53:48.353990 [0-0] * [HTTPS-CONNECT] connect+handshake h21: 36ms, 1st data: 17ms
21:53:48.355752 [0-0] * [HTTPS-CONNECT] connect -> 0, done=1
21:53:48.357080 [0-0] * Connected to 192.168.1.94 (192.168.1.94) port 443
21:53:48.358536 [0-0] * using HTTP/1.x
21:53:48.359715 [0-0] > GET / HTTP/1.1
21:53:48.359715 [0-0] > Host: 192.168.1.94
21:53:48.359715 [0-0] > User-Agent: curl/8.10.1
21:53:48.359715 [0-0] > Accept: */*
21:53:48.359715 [0-0] >
21:53:48.365897 [0-0] * schannel: remote party requests renegotiation
21:53:48.367353 [0-0] * schannel: renegotiating SSL/TLS connection
21:53:48.369160 [0-0] * schannel: reusing certificate store from cache
21:53:48.372882 [0-0] * schannel: connection hostname (192.168.1.94) validated against certificate name (192.168.1.94)
21:53:48.375397 [0-0] * schannel: SSL/TLS connection renegotiated
21:53:48.376843 [0-0] * schannel: remote party requests renegotiation
21:53:48.378306 [0-0] * schannel: renegotiating SSL/TLS connection
21:53:48.380150 [0-0] * schannel: reusing certificate store from cache
21:53:48.383510 [0-0] * schannel: connection hostname (192.168.1.94) validated against certificate name (192.168.1.94)
21:53:48.386083 [0-0] * schannel: SSL/TLS connection renegotiated
21:53:48.387643 [0-0] < HTTP/1.1 404 Not Found
21:53:48.388922 [0-0] < X-Powered-By: Express
21:53:48.390141 [0-0] < Content-Security-Policy: default-src 'none'
21:53:48.391592 [0-0] < X-Content-Type-Options: nosniff
21:53:48.393053 [0-0] < Content-Type: text/html; charset=utf-8
21:53:48.394406 [0-0] < Content-Length: 139
21:53:48.395578 [0-0] < Date: Fri, 08 Nov 2024 20:53:48 GMT
21:53:48.396889 [0-0] < Connection: keep-alive
21:53:48.398051 [0-0] < Keep-Alive: timeout=5
21:53:48.399202 [0-0] <
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /</pre>
</body>
</html>
21:53:48.400159 [0-0] * Connection #0 to host 192.168.1.94 left intact

Thank you !

The output of curl confirms that the server is configured correctly. However, there's a suggestion for your server.cnf file: please use the alt_names section as shown in the FAQ to mitigate any inconsistencies:

...
subjectAltName = @alt_names
[alt_names]
IP.0 = 192.168.1.94

I've tested the guide from the FAQ once more with NodeJS, and everything works fine. As another step, please try the attached files:

  • ca.crt - install this on the device
  • server.crt and server.key - use these on the server

certs.zip

ok thank you very much, with this certificate, everything works correctly.
thanks you