cordova "release" behaves differently to "debug" regarding SSL

cordova tutorial
cordova angular
cordova ionic
cordova-android
cordova plugin
cordova city
apache cordova is a hybrid framework
cordova introduction

I have very difficult and totally ungoogleable problem with cordova.

A program, working perfectly being compiled in --debug mode, ceases working after compilation in --release mode. I made sure the source is identical, and the effect is constant.

The only difference between --debug build and --release build is that the --release build fails to open any SSL connections.

This problem is localized very narrow, in my case it is the following line:

Socket = new WebSocket('wss://376.su/');

a friend of mine has reported the same error occurrence in the line:

<img src="https://blabla" />;

UPD: the problem is solved see the answers.

Problem

I have identified the exact source of the problem and i have found the perfect solution. It turned out to be a superposition of two separate issues each of which is seriously misleading:

  1. My SSL certificate from Thawte (despite its cost) is not recognized by Android 5.1.1 as a valid one (while being recognized by all desktop browsers)

  2. The --debug flag in cordova build simply ignores certificate "errors" (silently).

Solution

Go to your project's directory and find the following file:

platforms/android/CordovaLib/src/org/apache/cordova/engine/SystemWebViewClient.java

Locate the method definition (onReceivedSslError) and the following condition:

(appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0

This is what makes --debug and --release different. In order to ignore certificate "errors" the following code should be executed:

handler.proceed();
return;

This file persists through the build process. Don't forget to ignore those quasi-errors next time you add a platform to your project.

Apache Cordova, This tool helps with management of multi-platform Cordova applications as well as Cordova plugin integration. Installation. In your command-line  Cordova command-line runs on Node.js and is available on NPM . Follow platform specific guides to install additional platform dependencies. Open a command prompt or Terminal, and type npm install -g cordova. $ npm install -g cordova. npm install -g cordova. Create a project. Create a blank Cordova project using the command-line tool. Navigate

Android does not recognise the certificate authority (CA) of that certificate. It is a common issue, specially with older devices, and it affects every device every time a new CA appears.

A possible solution is to take advantage of the trust hierarchy:

  1. Concat the authority's certs with your cert.

    That way you'll send your CA's certificates first to ensure that the device trust your CA before your domain's certificate.

    If you have separated certs, this shell command does the trick:

    $ cat authority1.cert authority2.cert authority3.cert your_domain.cert >> your_domain_bundle.cert
    

    Or if you have a ca-bundle file, that is a concatenation of certificates, just run:

    $ cat authority.ca-bundle your_domain.cert >> your_domain_bundle.cert
    
  2. Add that your_domain_bundle.cert to the server.

Problem solved for https and wss.

Cordova, From the team behind Apache Cordova, the Adobe PhoneGap framework is an open source distribution of Cordova — providing the advantage of technology  Córdoba (/ ˈ k ɔːr d ə b ə /, Spanish:  [ˈkoɾðoβa]), [a] also spelled Cordova (/ ˈ k ɔːr d ə v ə /) in English, is a city in Andalusia, southern Spain, and the capital of the province of Córdoba.

I had the same problem but the main source isn't the code SystemWebViewClient.java. Your post helped me a lot to find the exact source. Actually the main source is that the https site you are trying to reach is missing the certificate authority (CA) that is needed by Cordova to connect to a secured site. Actually I'm using Siberian CMS which is built over Ionic/Cordova.

You can check the site with https://www.sslshopper.com/ssl-checker.html#hostname=

cordova, Apache Cordova is an open source framework that enables web developers to use their HTML, CSS, and JavaScript content to create a native application for a  Cordova Tourism: Tripadvisor has 663 reviews of Cordova Hotels, Attractions, and Restaurants making it your best Cordova resource.

PhoneGap, Apache Cordova. Mobile apps with HTML, CSS & JS; Target multiple platforms with one code base; Free and open source. Website and documentation:  Cordova (/ k ɔːr ˈ d oʊ v ə, ˈ k ɔːr d ə v ə /) is a small town located near the mouth of the Copper River in the Valdez-Cordova Census Area, Alaska, United States, at the head of Orca Inlet on the east side of Prince William Sound. The population was 2,239 at the 2010 census, down from 2,454 in 2000.

What is Apache Cordova?, cordova-js. NPM. Node CI. A unified JavaScript layer for Apache Cordova projects. Project Structure. View all of README.md. Releases. 6.0.0 published 28  Cordova was founded as a result of the discovery of high-grade copper ore at Kennecott, north of Cordova. A group of surveyors from Valdez laid out a town site and Michael James Heney purchased half the land for the terminus of the Copper River and Northwestern Railway after determining that Katalla was a poor harbor.

Apache Cordova - Hello World from Android and iOS, Get directions, maps, and traffic for Cordova, TN. Check flight prices and hotel availability for your visit.

Comments
  • yes i did. for the sake of brevity i omitted the statement that the very same "--release" program works perfectly without SSL, provided everything else the same.
  • that condition should be actually ignored and that code should be in any case executed, as you said! This is 6.2.0 of cordova and this technique is still helping!
  • This gets my release build working but for some reason when the same release.apk is uploaded to play store it fails again?
  • This solution is insecure, deploy your certificate properly see stackoverflow.com/questions/32021743/…
  • there is no need in half-solutions in the presence of a better one. ignoring "authority" does not invalidate the purpose of SSL, learn you some math.
  • Could you explain how ignoring the certificate's validity is better than validate the certificate authority? I'd want to understand why I'm wrong.
  • This solution is better than ignoring errors, but a more generic "this is what an intermediate certificate is, here's a resource on installing them on various platforms" might be suitable. There's at least a dozen different ways to set up CA certs for your web server.
  • This is the real solution to this issue, if you have this issue symptoms check your SSL certificate is properly deployed with chain and intermediate cert concatenated via: ssllabs.com/ssltest/analyze.html?d=example.com&latest