B4J Question [SOLVED] possible webview cache issue?

aminoacid

Active Member
Licensed User
Longtime User
This is something that has stumped me.

I cannot figure out why the following URL:


works in Chrome and Edge but will not load in webview. This is just a simple apache test page. Nothing complex at all.

I wrote a simple B4J App to test it out. Just one webview control and nothing else. See below - this is the whole program:

B4X:
#Region Project Attributes
    #MainFormWidth: 600
    #MainFormHeight: 600
#End Region

Sub Process_Globals
    Private fx As JFX
    Private MainForm As Form
    Private xui As XUI
    Private WebView1 As WebView
End Sub

Sub AppStart (Form1 As Form, Args() As String)
    MainForm = Form1
    MainForm.RootPane.LoadLayout("Layout1")
    MainForm.Show
    WebView1.LoadUrl("https://strikenet-tx.com/apache.html")
    'WebView1.LoadUrl("https://www.google.com")
End Sub


I tried various web sites like google, etc. It works fine. But I just get a blank screen with the URL "https://strikenet-tx.com/apache.html". And like I said. This URL/page loads fine in all other browsers.

Any suggestions would be appreciated. I have spent a whole day trying to figure this out and I give up!

Thanks!
 
Solution
Ok.... I got it to work. Thank you @sedd and @Sandman
Once I added the certificate to the local JRE cacerts file, I could view the page.
The procedure to do this is outlined in the link below.


[edit] This resolves the problem but it got me thinking about what if you need to distribute the application? You can't expect the end-user to have to add the certificate manually. The certificate is a purchased, perfectly valid certificate (issued by DigiCert) and works in other browsers so it seems strange that this behavior is specific to browsers like curl and webview.

Sandman

Expert
Licensed User
Longtime User
It's related to the cert the site uses. A quick test with the lovely tool curl gives this response:
Bash:
sandman@woopwoop:~ curl https://strikenet-tx.com/apache.html
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
sandman@woopwoop:~

I'm no expert with certs etc, but this is how I picture the situation: Each browser has their own list of acceptable certs. It's in the interests of the big browsers to keep their lists updated so everything works for the users. But then we have stuff like curl and Java, which have their own lists. For whatever reason they don't seem to be updated as quickly as the browsers.

And the site in question have a very new certificate, probably generated in February this year.

Searching for the first line in the curl output I found this SO thread:

Looking at the top answer, the solution is to update the list of certs in curl. And as far as I can tell that's what @sedd explained in #4 also.

I think this is fairly correct, but I don't know what the best solution is though.
 
Upvote 0

aminoacid

Active Member
Licensed User
Longtime User
The last time I worked on the code it was working fine so that's why I thought it was a caching issue and decided to see if just a simple web page would load from the server. The server, BTW is a B4J websockets server (jserver 3.0). Also, everything works fine with B4A and B4I webview. Just B4J that chokes.
 
Upvote 0

aminoacid

Active Member
Licensed User
Longtime User
Ok.... I got it to work. Thank you @sedd and @Sandman
Once I added the certificate to the local JRE cacerts file, I could view the page.
The procedure to do this is outlined in the link below.


[edit] This resolves the problem but it got me thinking about what if you need to distribute the application? You can't expect the end-user to have to add the certificate manually. The certificate is a purchased, perfectly valid certificate (issued by DigiCert) and works in other browsers so it seems strange that this behavior is specific to browsers like curl and webview.
 
Last edited:
Upvote 0
Solution

aminoacid

Active Member
Licensed User
Longtime User
How do you output the html page with JServer?

I'm running a B4J websockets appliction that uses jServer. The home sub-directory is "www" with index.html as the default page. I just placed the apache test page in this folder.
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
Another solution is to use HU2_ACCEPTALL in Conditional Symbols and use OkHttpUtils2 to download the page then display using WebView1.LoadHtml(job.GetString)
But I am not sure it is already fixed at your side.
 

Attachments

  • WebViewTest.zip
    2.3 KB · Views: 131
Upvote 0

aminoacid

Active Member
Licensed User
Longtime User
Another solution is to use HU2_ACCEPTALL in Conditional Symbols and use OkHttpUtils2 to download the page then display using WebView1.LoadHtml(job.GetString)
But I am not sure it is already fixed at your side.

Thanks! Good information to keep in mind for future reference. However in my case I have to use webview since my application does more than just display a page. I used the apache page for testing only.
 
Upvote 0

Sandman

Expert
Licensed User
Longtime User
This resolves the problem but it got me thinking about what if you need to distribute the application? You can't expect the end-user to have to add the certificate manually. The certificate is a purchased, perfectly valid certificate (issued by DigiCert) and works in other browsers so it seems strange that this behavior is specific to browsers like curl and webview.
Yeah, that's why I couldn't find a solution to recommend. I should have been more clear about it, sorry.

On second thought, the only thing I can think of is to get a different certificate that is (more) guaranteed to work, assuming that the primary use of the website is via a webview in your app. Sucks, but works.

I assume it's possible to configure webview to not care of the validity of the cert (it is for curl), which would solve the direct issue and display the site in the webview. But it would also open up a giant security hole, the cert is there for a reason - don't do this. :)
 
Upvote 0

aminoacid

Active Member
Licensed User
Longtime User
Yeah, that's why I couldn't find a solution to recommend. I should have been more clear about it, sorry.

On second thought, the only thing I can think of is to get a different certificate that is (more) guaranteed to work, assuming that the primary use of the website is via a webview in your app. Sucks, but works.

I assume it's possible to configure webview to not care of the validity of the cert (it is for curl), which would solve the direct issue and display the site in the webview. But it would also open up a giant security hole, the cert is there for a reason - don't do this. :)

Yes... that's exactly what I was looking for..... Some way to configure webview to ignore the validity of the certificate. In my application, security is not an issue. However I could not find any way to do this.
 
Upvote 0

teddybear

Well-Known Member
Licensed User
[edit] This resolves the problem but it got me thinking about what if you need to distribute the application? You can't expect the end-user to have to add the certificate manually. The certificate is a purchased, perfectly valid certificate (issued by DigiCert) and works in other browsers so it seems strange that this behavior is specific to browsers like curl and webview.
I wrapped a library for trusting all websites, it is like HU2_ACCEPTALL , you don't have to add the certificate manually.
B4X:
    Dim AT As AllTrust
    AT.Initialize
    WebView1.LoadUrl("https://strikenet-tx.com/apache.html")
 

Attachments

  • alltrust.zip
    2 KB · Views: 157
  • AllTrust.xml
    990 bytes · Views: 138
  • AllTrust.jar
    2.7 KB · Views: 122
Upvote 0

aeric

Expert
Licensed User
Longtime User
My understanding is, you install your certificate on the server.
I have a small VPS hosting from hostinger. My port 80 is used by Apache server and can run PHP.
I created Let's Encrypt SSL and the certificate is shared with all the ports, including (and intended for) all my B4J Jetty Server apps running on other port numbers.
Nothing is needed to be done for the client apps.

 
Upvote 0

drgottjr

Expert
Licensed User
Longtime User
configuring webview to ignore ssl certs is trivial.
you can also arrange things so that a list of
white-listed sites with problematic certificates
could still be loaded by webview. this list could
be compiled by the developer or the user and
be updated as needed. in the case of a
distributed app, it has to be understood by the
user that any sites added to the list by him are
his responsibility. as has been pointed out,
the major browsers have little choice but to
update such a list as certifiying authorities come
and go. there is no reason you could not do
the same for your app.
 
Upvote 0

aminoacid

Active Member
Licensed User
Longtime User
I wrapped a library for trusting all websites, it is like HU2_ACCEPTALL , you don't have to add the certificate manually.
B4X:
    Dim AT As AllTrust
    AT.Initialize
    WebView1.LoadUrl("https://strikenet-tx.com/apache.html")

Thanks! I tried it, but get this error when compiling:

java.lang.UnsupportedClassVersionError: b4j/teddybear/alltrust has been compiled by a more recent version of the Java Runtime (class file version 53.0), this version of the Java Runtime only recognizes class file versions up to 52.0

I am using the latest version of B4J, Java8 JDK 8u371

Do I need the library source?
 
Upvote 0

teddybear

Well-Known Member
Licensed User
Thanks! I tried it, but get this error when compiling:

java.lang.UnsupportedClassVersionError: b4j/teddybear/alltrust has been compiled by a more recent version of the Java Runtime (class file version 53.0), this version of the Java Runtime only recognizes class file versions up to 52.0

I am using the latest version of B4J, Java8 JDK 8u371

Do I need the library source?
The jar has been updated for jdk8
 
Last edited:
Upvote 0
Top