How to make the Appium dotnet driver to trust the Appium server certificate?

[alvaro777]

Hi there,
I am trying to use an SSL enabled Appium server, but when I try to open a session, I get this exception
Is there any way to instruct the client to trust the Appium server certificate? Similar to what the "Allow Unauthorized Certificates" option does in Appium Desktop:

I am using Appium web driver version 4.3.1.
Appium server 1.19.0

Thanks,
A

[Dor-bl]

I think this question should be placed under appium repo. @mykola-mokhnach / @KazuCocoa do we have such argument that we can pass to appium server?

[KazuCocoa]

It is dotnet client thing. I guess the endpoint has https with self-certificate, or something new certificate which is not valid for existing one. For example, Python 2's bundled certificates had the issue.

Then, a client should relax the validation like ignoring the validation. I haven't dug into the dotnet client's options to relax the validation, but it might have.

[Dor-bl]

@KazuCocoa, Trying to replicate this from my side.

I followed this guide: https://appium.io/docs/en/2.3/guides/tls/
and when I start the appium server with the cert and key I get HTTP: instead of HTTPS:

Here are the logs:

C:\Program Files\OpenSSL-Win64\crt>appium server --port 4724 --ssl-cert-path cert.pem --ssl-key-path key.pem
[Appium] Welcome to Appium v2.5.1
[Appium] Non-default server args:
[Appium] {
[Appium]   port: 4724
[Appium] }
[Appium] The autodetected Appium home path: C:\Users\Dor-B\.appium
[Appium] Attempting to load driver windows...
[Appium] Attempting to load driver uiautomator2...
[Appium] Attempting to load driver espresso...
[Appium] Requiring driver at C:\Users\Dor-B\.appium\node_modules\appium-windows-driver\build\index.js
[Appium] Requiring driver at C:\Users\Dor-B\.appium\node_modules\appium-espresso-driver\build\index.js
[Appium] Requiring driver at C:\Users\Dor-B\.appium\node_modules\appium-uiautomator2-driver\build\index.js
[Appium] WindowsDriver has been successfully loaded in 2.261s
[Appium] EspressoDriver has been successfully loaded in 2.261s
[Appium] AndroidUiautomator2Driver has been successfully loaded in 2.263s
[HTTP] Enabling TLS/SPDY on the server using the provided certificate
(node:14432) [DEP0111] DeprecationWarning: Access to process.binding('http_parser') is deprecated.
(Use `node --trace-deprecation ...` to show where the warning was created)
[Appium] Appium REST http interface listener started on http://0.0.0.0:4724
[Appium] You can provide the following URLs in your client code to connect to this server:
[Appium]        http://10.100.102.94:4724/
[Appium]        http://127.0.0.1:4724/ (only accessible from the same host)
[Appium] Available drivers:
[Appium]   - [email protected] (automationName 'Windows')
[Appium]   - [email protected] (automationName 'UiAutomator2')
[Appium]   - [email protected] (automationName 'Espresso')
[Appium] Available plugins:
[Appium]   - [email protected]
[Appium] No plugins activated. Use the --use-plugins flag with names of plugins to activate

[mykola-mokhnach]

@Dor-bl Please always try the most recent server version. The 2.5.1 one is pretty out of date

[Dor-bl]

@mykola-mokhnach Updated to 2.11.3, but still got the same outcome:

[Appium] Welcome to Appium v2.11.3
[Appium] The autodetected Appium home path: C:\Users\Dor-B\.appium
[Appium] Attempting to load driver windows...
[Appium] Attempting to load driver uiautomator2...
[Appium] Attempting to load driver espresso...
[Appium] Requiring driver at C:\Users\Dor-B\.appium\node_modules\appium-windows-driver\build\index.js
[Appium] Requiring driver at C:\Users\Dor-B\.appium\node_modules\appium-espresso-driver\build\index.js
[Appium] Requiring driver at C:\Users\Dor-B\.appium\node_modules\appium-uiautomator2-driver\build\index.js
[Appium] WindowsDriver has been successfully loaded in 13.159s
[Appium] EspressoDriver has been successfully loaded in 13.159s
[Appium] AndroidUiautomator2Driver has been successfully loaded in 13.162s
[HTTP] Enabling TLS/SPDY on the server using the provided certificate
(node:23024) [DEP0111] DeprecationWarning: Access to process.binding('http_parser') is deprecated.
(Use `node --trace-deprecation ...` to show where the warning was created)
[Appium] Appium REST http interface listener started on http://0.0.0.0:4723
[Appium] You can provide the following URLs in your client code to connect to this server:
        http://10.100.102.94:4723/
        http://127.0.0.1:4723/ (only accessible from the same host)
[Appium] Available drivers:
[Appium]   - [email protected] (automationName 'Windows')
[Appium]   - [email protected] (automationName 'UiAutomator2')
[Appium]   - [email protected] (automationName 'Espresso')
[Appium] Available plugins:
[Appium]   - [email protected]
[Appium] No plugins activated. Use the --use-plugins flag with names of plugins to activate

[mykola-mokhnach]

I've checked it locally and it looks like there is a bug in logging. The server itself does start using a secure protocol though. appium/appium#20449 should fix the log line

[Dor-bl]

@mykola-mokhnach, Indeed the latest version fixes the log line.
But now I get an error different from what the author of this issue gets.
Would you happen to have an idea of what can be the reason?

 Message: 
OneTimeSetUp: OpenQA.Selenium.WebDriverException : An unknown exception was encountered sending an HTTP request to the remote WebDriver server for URL https://localhost:4724/session. The exception message was: An error occurred while sending the request.
  ----> System.Net.Http.HttpRequestException : An error occurred while sending the request.
  ----> System.Net.WebException : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
  ----> System.Security.Authentication.AuthenticationException : The remote certificate is invalid according to the validation procedure.

  Stack Trace: 
<ExecuteAsync>d__34.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
ExceptionDispatchInfo.Throw()
TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
ConfiguredTaskAwaiter.GetResult()
<ExecuteAsync>d__11.MoveNext() line 80
--- End of stack trace from previous location where exception was thrown ---
ExceptionDispatchInfo.Throw()
TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
<ExecuteAsync>d__63.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
ExceptionDispatchInfo.Throw()
TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
WebDriver.Execute(String driverCommandToExecute, Dictionary`2 parameters)
AppiumDriver.Execute(String driverCommandToExecute, Dictionary`2 parameters) line 119
WebDriver.StartSession(ICapabilities capabilities)
WebDriver.ctor(ICommandExecutor executor, ICapabilities capabilities)
AppiumDriver.ctor(ICommandExecutor commandExecutor, ICapabilities appiumOptions) line 46
AppiumDriver.ctor(Uri remoteAddress, ICapabilities appiumOptions, TimeSpan commandTimeout, AppiumClientConfig clientConfig) line 104
AppiumDriver.ctor(Uri remoteAddress, ICapabilities appiumOptions, TimeSpan commandTimeout) line 83
AndroidDriver.ctor(Uri remoteAddress, DriverOptions driverOptions, TimeSpan commandTimeout) line 114
ElementTest.BeforeAll() line 22
--HttpRequestException
ExceptionDispatchInfo.Throw()
TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
<MakeHttpRequest>d__37.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
ExceptionDispatchInfo.Throw()
TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
<ExecuteAsync>d__34.MoveNext()
--WebException
HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
--AuthenticationException
TlsStream.EndWrite(IAsyncResult asyncResult)
ConnectStream.WriteHeadersCallback(IAsyncResult ar)

[mykola-mokhnach]

I am not an expect in dotnet. Try to check available configuration options for the HTTP client library there. There must be something, that could allow to ignore/skip certificates validation.

Another solution might be to import your self-signed certificate into the Root CA on the client machine.

[Dor-bl]

@nvborisenko, Do you guys already implemented something similar on the Selenium side?
I couldn't find any traces.

On the same topic, is it possible to modify Selenium HTTPCommandExecutor with my own HttpClient? couldn't find a way.

[nvborisenko]

I have posted a feature request, seems very easy to implement. Looked through your repo, and it will be possible to configure HttpClient.

[nvborisenko]

Will be available in Selenium v4.29 (in one week?). So you will be able to:

class AppiumHttpCommandExecutor : HttpCommandExecutor
{
  override HttpClientHandler CreateHttpClientHandler()
  {
    var handler = base.CreateHttpClientHandler();
    handler.ServerCertificateCustomValidationCallback += ... => return true;
  }
}

Notice: handler.ServerCertificateCustomValidationCallback is not available for netstandard2.0. You can use statically available:

ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

Changing global static behavior by library is not very good.

[nvborisenko]

@Dor-bl Selenium 4.29 has been released, you can give it a try.

[Dor-bl]

@nvborisenko, thank you for that change.
But I came across an issue when trying to use it since CreateHttpClientHandler is protected

few options:

1. Add accessibility modifier: protected
2. Use reflection to call the method (Less preferred)
3. access the protected method from a public one.

WDYT?

[nvborisenko]

@Dor-bl just add protected access modifier for your method. Excuses, I wrote examples in calculator.

[Dor-bl]

@Dor-bl just add protected access modifier for your method. Excuses, I wrote examples in calculator.

And then access it from a public method?

[nvborisenko]

And use your AppiumHttpCommandExecutor class instead of selenium's HttpCommandExecutor everywhere across code. For instance here:

dotnet-client/src/Appium.Net/Appium/Service/AppiumCommandExecutor.cs

Line 33 in bcfde8b

return new HttpCommandExecutor(remoteAddress, commandTimeout);

[Dor-bl]

@KazuCocoa / @mykola-mokhnach, What do you guys think about adding the RelaxSslValidation flag?

1st option is adding a flag as below to appiumDriver. i.e.

        public AppiumDriver(Uri remoteAddress, ICapabilities appiumOptions, TimeSpan commandTimeout, AppiumClientConfig clientConfig, bool relaxSSLValidation)
            : this(new AppiumCommandExecutor(remoteAddress, commandTimeout, clientConfig, relaxSSLValidation), appiumOptions)
        {
        }

2nd option would be to add this flag under the AppiumClientConfig class. (I'm not sure if it makes sense, appium-wise.)

[mykola-mokhnach]

I would prefer the second option

[nvborisenko]

AppiumClientConfig is very well suited to be not a breaking change.

[KazuCocoa]

Vote for AppiumClientConfig