sha512.badssl Certificate failed

[aancw]

Hi,

I'm using your app and the application is showing error when clicking the button. It say that sha512.badssl certification error. SSL Certificate for target is expired

[pimterry]

Hi @aancw, thanks for getting in touch.

That error is not coming from HTTP Toolkit at all though. The certificate for that site really has expired. When visiting it in any browser on any device you like you will see this error, even without using HTTP Toolkit.

In fact, I'm not sure what your setup is, but it looks like the browser you're showing isn't actually being intercepted by HTTP Toolkit at all. If it was, the 'Issuer' would say 'HTTP Toolkit CA'. If you do try to visit the site using a browser intercepted by HTTP Toolkit, you will see a "Certificate has expired" error, but within a normal secure response, because the HTTPS connection (from your browser to HTTP Toolkit) will work correctly, and only the upstream connection (HTTP Toolkit to the server) will fail because of the failed certificate.

Does that make sense? In both cases, HTTP Toolkit isn't doing anything wrong here - the problem is that that server's certificate really has expired. This is tracked by the team running that service here: chromium/badssl.com#501. I'd suggest getting in touch with them directly if you want to help get that fixed.

[aancw]

I know that the problem is in the server. What i mean, can this server url changed? Because this app cannot running without proxy. I'm using this app for the article but the demo showing error when pinning the request.

[pimterry]

I don't understand what you mean. Which article? Which app?

[aancw]

Nevermind, I've forked the repo and change the url that work for this app and signed the apk too.

https://github.com/aancw/android-ssl-pinning-signed-demo

[pimterry]

Ah, I see! Sorry, I had no idea what you were talking about before. That makes a lot more sense now, thanks for the screenshot and info.

This is now fixed in the app, there's an updated v1.3.0 available that should work correctly: https://github.com/httptoolkit/android-ssl-pinning-demo/releases/tag/v1.3.0

[pimterry]

I think the v1.3.0 APK is signed already, isn't it? I was doing this manually before, but it's now automated: 04a5c5d.

If you download it, you can test that for yourself:

$ apksigner verify --print-certs ./pinning-demo.apk
Signer #1 certificate DN: CN=Tim Perry, OU=Unknown, O=HTTP Toolkit, L=Barcelona, ST=Barcelona, C=ES
Signer #1 certificate SHA-256 digest: 03235c7ac4d8111ea7b56152841acdb8d9570968885826d00c604b3bbb8c7b68
Signer #1 certificate SHA-1 digest: 985c29731c39325874d93f2f0f0e47af4f1828bd
Signer #1 certificate MD5 digest: df7af10590483a886870630400079767

I think that error above is because you have an app installed with the same package id but a different signature. The signature is different in this build because I've just generated a new key store for this, but if you uninstall the old version before you install the new version it should work. I don't think that matters too much, I don't expect many people are going to be upgrading between versions here, it's just a demo app.

[aancw]

Nice, last time I fork the repo, the apk is not signed when running github workflow. That's why I make update on ci.yml to sign the apk. So it can be installed on the devices.