Error messages on invalid SSL certificates miss certificate information

[2xB]

Summary

Error messages on invalid SSL certificates contain no information about what the offending certificate is. This makes it hard to understand sporadic certificate errors. Since sporadic certificate errors may be the sign of an attack, the required information to track such an issue should be available.

Environment Information

• Mattermost App Version: Android 2.23.1

Steps to reproduce

Connect to a server from the Android app, change the SSL certificate of that server to an invalid certificate.

Expected behavior

I believe that one should be able to see what the offending certificate is - at least in the debug log - and be informed what the result of this is - whether actually data is at risk as the error message currently seems to imply or the connection is at least dropped to protect user data.

Observed behavior (that appears unintentional)

One is just informed that the certificate is invalid with an identical message in the debug log.

Possible fixes

I believe the debug log text comes from https://github.com/mattermost/react-native-network-client/blob/0ad8fad7867e1f7540a4a39caeecd918558054fa/android/src/main/java/com/mattermost/networkclient/NetworkClient.kt#L486 where the issue of missing debug information w.r.t. the offending certificate could be improved centrally.

The frontend text of the alert window shown to users currently uses the identical wording and is shown in

mattermost-mobile/app/managers/network_manager.ts

Line 154 in 1bb024e

Alert.alert(

. I think it would be rather difficult to provide certificate information here, so I'd propose to just change mattermost/react-native-network-client and potentially just add some documentation to the frontend text about more information in the debug log.