Don't use React Native's version of okhttp3 to fix self signed SSL

[jtreanor]

Fixes #9032

Rect native uses okhttp version 3.11.0 while FluxC uses 3.9.0. Normally this would not be a major issue but there is a known problem with later versions of okhttp breaking self signed SSL (wordpress-mobile/WordPress-FluxC-Android#919).

We don't fully understand the scope of the issue but I think the safest thing to do is to use the version that we know works as expected (I have tested this). Gutenberg/React Native also seems to be working fine with this version (both binary and source versions).

To test:

Follow these steps on release/11.6 and on this branch:

1. Open the app
2. Tap "Login" and "Login by entering site address"
3. Enter a self signed SSL site address
4. Click next

On release/11.6, it will give an error saying the site does not exist. On this branch it will allow you to login as expected.

Update release notes:

• If there are user facing changes, I have added an item to RELEASE-NOTES.txt.

[hypest]

On release/11.6, it will give an error saying the site does not exist.

👋 @jtreanor , I tried with the selfhosted site from http://do.wpmt.co/ (https://do2.wpmt.co/sslselfsigned/) and what I see is the "Invalid SSL certificate" popup, which asks about accepting the certificate or not. Any other step or site I can test that gives out a "site does not exist" error instead? Thanks!

[aforcier]

@hypest you have to accept the certificate in any case - the error will occur after you've accepted the certificate.

[hypest]

Sorry, should have mentioned it before @aforcier. I actually had accepted the cert and moved on with logging in in my test. Everything seemed to work as normal.

[hypest]

Maybe I need to be on a particular build flavor? I tried wasabiDebug. I'll try vanillaRelease.

EDIT: can't repro on vanillaRelease either. Using commit hash: c5d268f.

[hypest]

Haven't been able to reproduce the originating issue but, this change makes sense to me so, 👍.

[aforcier]

Confirmed fixed with the same self-signed SSL site I know you used to test @jtreanor - shared it with @hypest and he was able to confirm too.

!

[jtreanor]

Thanks for testing @hypest and @aforcier ! As @aforcier mentioned the site I was testing with was different to the one you mentioned. It looks like https://do2.wpmt.co/sslselfsigned/ is working for me as well, so something about the other cert breaks with the later okhttp version.

This is a promising sign that the issue is not as widespread as I thought and will help in the investigation. I agree that we should still make this change until we are sure of the implications of upgrading okhttp in FluxC.

[aforcier]

Just for future reference, I corrected a mistake in the config for https://do2.wpmt.co/sslselfsigned/ that allowed our self-hosted discovery process to connected to it via unencrypted HTTP and produce a false positive. It should now fail without this patch.