We should allow the user to do everything they do on desktop: add a permanent exception, view the certificate, or temporarily ignore the error. Supporting self-signed certs in Sync is not exactly covered by this bug.
Just a heads up, WKWebView cannot currently handle self-signed certificates (I happened to stumbled upon this while working on a project with WKWebView where I want to use self-signed certs for internal testing): https://twitter.com/wkwebview/status/542363586958745600
Fixed in iOS 9 as navigating to pages with self-signed certificates now call didReceiveAuthenticationChallenge on WKNavigationDelegate so you can manually decide how to handle self-signed certificates.
Yes, in iOS9 we now have the option to do custom certificate validation and accepting self-signed certificates can most likely be build on top of that. We have a bigger plan of pulling in the Mozilla certificate validation code, but feel free to experiment with this to find out how well that new API works.
Going to investigate and breakdown for a potential mentor/contributor bug.
Did any of this land? If not, can we break this down?
Not sure why this is tracking 2.0. This is way too complex for 2.0. I'm moving it to + and I also have a plan to deal with all things related to custom cert validation but nothing is documented in bugs yet.
Going to split this into two bugs. This one will be about accepting certs, storing them in memory, and adding the simple accept/reject UI. The follow-up will add disk storage, including clearing the certs in settings. This one is mostly ready, but I want to do a bit more testing and add some test cases before flagging review. I don't expect the UI to change, though, so flagging for ui-review.
Robin, are the mocks at  finalized, or are things still in flux as we try to sync up with desktop? If the latter, do you think we could ship your earlier mocks (currently used in this PR) for 4.0, then converge with updated designs for 5.0?  https://docs.google.com/a/mozilla.com/document/d/1Wnr0tqAX38DXz_o9pQbU7SMrsbvMUoJupbISm1r3DUU/edit?usp=sharing
Brian, the mocks have been updated (as of 20:08 this evening) and we should be going with a webview template, based on my mocks and not waiting for Desktop for 4.0
Comment on attachment 8733640 [details] [review] Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1658 Functionality-wise, I think this PR is ready to land. It adds support for cert exceptions using the error page UI. This doesn't include permanent exceptions (bug 1259284); I'll try to have that bug up by tomorrow. The error page isn't at all styled/polished yet, but I'd like to land this so we can have the functionality/strings before 4.0. I figure we can iterate on the error page design on the stabilization branch since it's just tweaking HTML/CSS. Robin, can you double-check that the strings are all good to go? No ui-review yet -- I know the page looks hideous :)
Attachment #8733640 - Flags: feedback? → feedback?(randersen)
Comment on attachment 8733640 [details] [review] Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1658 One change: "Proceed if you accept the [+]potential risk[-]s".
Attachment #8733640 - Flags: feedback?(randersen) → feedback+
Comment on attachment 8733640 [details] [review] Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1658 Looks good! Just one edge case bug I found related to the history stack.
Attachment #8733640 - Flags: feedback+
Comment on attachment 8733640 [details] [review] Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1658 LGTM!
Attachment #8733640 - Flags: review?(sleroux) → review+
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.