Skip to content

CERTIFICATE_VERIFY_FAILED crash in _RawSecureSocket._tryFilter#4529

Closed
aaravgarg wants to merge 1 commit intomainfrom
fix/ios-crash-certificate-verify-failed
Closed

CERTIFICATE_VERIFY_FAILED crash in _RawSecureSocket._tryFilter#4529
aaravgarg wants to merge 1 commit intomainfrom
fix/ios-crash-certificate-verify-failed

Conversation

@aaravgarg
Copy link
Collaborator

@aaravgarg aaravgarg commented Feb 1, 2026

Summary

  • Catch HandshakeException and TlsException in the HTTP retry loop
  • Return synthetic 503 response for TLS/certificate errors instead of letting them crash the app
  • Handles CERTIFICATE_VERIFY_FAILED errors that occur when device clock is wrong, CA issues, or network middleboxes

Crash Stats

Test plan

  • Verify normal HTTPS requests still work
  • Test with expired certificate scenario (should return 503, not crash)

🤖 Generated with Claude Code

@aaravgarg @claude
fix: catch HandshakeException and TlsException in HTTP retry loop
8e63105 
Add catch clauses for HandshakeException (CERTIFICATE_VERIFY_FAILED) and
TlsException in the retry loop, and return a synthetic 503 response
instead of crashing the app on TLS/certificate errors.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@aaravgarg aaravgarg requested a review from mdmohsin7 February 1, 2026 23:14
gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 1, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request effectively resolves a crash caused by CERTIFICATE_VERIFY_FAILED by introducing error handling for HandshakeException and TlsException. The approach of returning a synthetic 503 response is a good strategy to prevent the app from crashing while signaling a transport-level issue to the rest of the application. The included suggestions to simplify the implementation by leveraging the class hierarchy of these exceptions are valid and should make the code slightly more concise and maintainable.

app/lib/backend/http/http_pool_manager.dart
Comment on lines +76 to +79
} on HandshakeException catch (e) {
lastError = e;
} on TlsException catch (e) {
lastError = e;
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Since HandshakeException is a subtype of TlsException, you can simplify this by catching only TlsException. This will handle HandshakeException and any other potential TLS-related exceptions (like CertificateException) in a single block.

      } on TlsException catch (e) {
        // This catches HandshakeException and other TlsExceptions.
        lastError = e;
      }

app/lib/backend/http/http_pool_manager.dart
if (lastResponse != null) return lastResponse;

// Return synthetic 503 for TLS/certificate errors instead of crashing
if (lastError is HandshakeException || lastError is TlsException) {
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

To align with the simplification of catching only TlsException, this condition can also be simplified.

    if (lastError is TlsException) {

@mdmohsin7
Copy link
Member

mdmohsin7 commented Feb 5, 2026

A better fix is to not allow the app which doesn't support TLS (disabled that app)

@mdmohsin7 mdmohsin7 closed this Feb 5, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 5, 2026

Hey @aaravgarg 👋

Thank you so much for taking the time to contribute to Omi! We truly appreciate you putting in the effort to submit this pull request.

After careful review, we've decided not to merge this particular PR. Please don't take this personally — we genuinely try to merge as many contributions as possible, but sometimes we have to make tough calls based on:

  • Project standards — Ensuring consistency across the codebase
  • User needs — Making sure changes align with what our users need
  • Code best practices — Maintaining code quality and maintainability
  • Project direction — Keeping aligned with our roadmap and vision

Your contribution is still valuable to us, and we'd love to see you contribute again in the future! If you'd like feedback on how to improve this PR or want to discuss alternative approaches, please don't hesitate to reach out.

Thank you for being part of the Omi community! 💜

@aaravgarg
Copy link
Collaborator Author

aaravgarg commented Feb 5, 2026

A better fix is to not allow the app which doesn't support TLS (disabled that app)

A better fix is to not allow the app which doesn't support TLS (disabled that app)

which app was it curious

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdmohsin7 mdmohsin7 Awaiting requested review from mdmohsin7

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aaravgarg @mdmohsin7