Fix SSL issues (#2655)

fire-light42 · web-flow · commit fb54d02979c3 · 2026-04-13T22:21:52.000Z
diff --git a/app/src/main/java/com/lagradost/cloudstream3/MainActivity.kt b/app/src/main/java/com/lagradost/cloudstream3/MainActivity.kt
@@ -1169,7 +1169,10 @@ class MainActivity : AppCompatActivity(), ColorPickerDialogListener, BiometricCa
     }
 
     override fun onCreate(savedInstanceState: Bundle?) {
-        app.initClient(this)
+        app.initClient(this, ignoreSSL = false)
+        @OptIn(UnsafeSSL::class)
+        insecureApp.initClient(this, ignoreSSL = true)
+
         val settingsManager = PreferenceManager.getDefaultSharedPreferences(this)
 
         setLastError(this)
@@ -2059,4 +2062,4 @@ class MainActivity : AppCompatActivity(), ColorPickerDialogListener, BiometricCa
             false
         }
     }
-}
+}
diff --git a/app/src/main/java/com/lagradost/cloudstream3/network/RequestsHelper.kt b/app/src/main/java/com/lagradost/cloudstream3/network/RequestsHelper.kt
@@ -2,6 +2,7 @@ package com.lagradost.cloudstream3.network
 
 import android.content.Context
 import androidx.preference.PreferenceManager
+import com.lagradost.cloudstream3.Prerelease
 import com.lagradost.cloudstream3.R
 import com.lagradost.cloudstream3.USER_AGENT
 import com.lagradost.cloudstream3.mvvm.safe
@@ -15,19 +16,38 @@ import org.conscrypt.Conscrypt
 import java.io.File
 import java.security.Security
 
+// Backwards compatible constructor, mark as deprecated later
 fun Requests.initClient(context: Context) {
     this.baseClient = buildDefaultClient(context)
 }
 
+/** Only use ignoreSSL if you know what you are doing*/
+@Prerelease
+fun Requests.initClient(context: Context, ignoreSSL: Boolean = false) {
+    this.baseClient = buildDefaultClient(context, ignoreSSL)
+}
+
+
+// Backwards compatible constructor, mark as deprecated later
 fun buildDefaultClient(context: Context): OkHttpClient {
+    return buildDefaultClient(context, false)
+}
+
+/** Only use ignoreSSL if you know what you are doing*/
+@Prerelease
+fun buildDefaultClient(context: Context, ignoreSSL: Boolean = false): OkHttpClient {
     safe { Security.insertProviderAt(Conscrypt.newProvider(), 1) }
     
     val settingsManager = PreferenceManager.getDefaultSharedPreferences(context)
     val dns = settingsManager.getInt(context.getString(R.string.dns_pref), 0)
     val baseClient = OkHttpClient.Builder()
         .followRedirects(true)
         .followSslRedirects(true)
-        .ignoreAllSSLErrors()
+        .apply {
+            if (ignoreSSL) {
+                ignoreAllSSLErrors()
+            }
+        }
         .cache(
             // Note that you need to add a ResponseInterceptor to make this 100% active.
             // The server response dictates if and when stuff should be cached.
@@ -52,11 +72,6 @@ fun buildDefaultClient(context: Context): OkHttpClient {
     return baseClient
 }
 
-//val Request.cookies: Map<String, String>
-//    get() {
-//        return this.headers.getCookies("Cookie")
-//    }
-
 private val DEFAULT_HEADERS = mapOf("user-agent" to USER_AGENT)
 
 /**
diff --git a/library/src/commonMain/kotlin/com/lagradost/cloudstream3/MainAPI.kt b/library/src/commonMain/kotlin/com/lagradost/cloudstream3/MainAPI.kt
@@ -55,6 +55,13 @@ annotation class Prerelease
 )
 annotation class InternalAPI
 
+@Retention(AnnotationRetention.BINARY) // This is only an IDE hint, and will not be used in the runtime
+@RequiresOptIn(
+    message = "Only use this if you know what you are doing and you need to bypass the SSL certificate checks. Never use this for sensitive network requests such as logins.",
+    level = RequiresOptIn.Level.WARNING
+)
+annotation class UnsafeSSL
+
 /**
  * Defines the constant for the all languages preference, if this is set then it is
  * the equivalent of all languages being set
diff --git a/library/src/commonMain/kotlin/com/lagradost/cloudstream3/MainActivity.kt b/library/src/commonMain/kotlin/com/lagradost/cloudstream3/MainActivity.kt
@@ -8,8 +8,7 @@ import com.lagradost.nicehttp.ResponseParser
 import kotlin.reflect.KClass
 
 // Short name for requests client to make it nicer to use
-
-var app = Requests(responseParser = object : ResponseParser {
+private val jacksonResponseParser = object : ResponseParser {
     val mapper: ObjectMapper = jacksonObjectMapper().configure(
         DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES,
         false
@@ -30,6 +29,18 @@ var app = Requests(responseParser = object : ResponseParser {
     override fun writeValueAsString(obj: Any): String {
         return mapper.writeValueAsString(obj)
     }
-}).apply {
+}
+
+/** The default networking helper. This helper performs SSL checks.
+ * If you need to make requests to websites with invalid SSL certificates use insecureApp instead. */
+var app = Requests(responseParser = jacksonResponseParser).apply {
+    defaultHeaders = mapOf("user-agent" to USER_AGENT)
+}
+
+/** Same as the default app networking helper, but this instance ignores SSL certificates.
+ * This should NEVER be used for sensitive networking operations such as logins. Only use this when required. */
+@Prerelease
+@UnsafeSSL
+var insecureApp = Requests(responseParser = jacksonResponseParser).apply {
     defaultHeaders = mapOf("user-agent" to USER_AGENT)
 }

Original file line number	Diff line number	Diff line change
`@@ -1169,7 +1169,10 @@ class MainActivity : AppCompatActivity(), ColorPickerDialogListener, BiometricCa`
`1169`	`1169`	`}`
`1170`	`1170`
`1171`	`1171`	`override fun onCreate(savedInstanceState: Bundle?) {`
`1172`		`- app.initClient(this)`
	`1172`	`+ app.initClient(this, ignoreSSL = false)`
	`1173`	`+ @OptIn(UnsafeSSL::class)`
	`1174`	`+ insecureApp.initClient(this, ignoreSSL = true)`
	`1175`	`+`
`1173`	`1176`	`val settingsManager = PreferenceManager.getDefaultSharedPreferences(this)`
`1174`	`1177`
`1175`	`1178`	`setLastError(this)`
`@@ -2059,4 +2062,4 @@ class MainActivity : AppCompatActivity(), ColorPickerDialogListener, BiometricCa`
`2059`	`2062`	`false`
`2060`	`2063`	`}`
`2061`	`2064`	`}`
`2062`		`-}`
	`2065`	`+}`