Chromium Embedded Framework Forum

[danieledll]

Hi to all,

I'm building an application that needs to alter the content of some specific webpages that uses HTTPS, it is for our company internal use, we need to extend some features exposed by a third party service.

Initially I tried with custom scheme handler for http and https but, unfortunately, i faced some bugs (some fixed using patches from bug reports, another one, related to flash sync io, not fixed) that forced me to change the way i was doing the stuff.

In the end I decided to leave CEF untouched and use a MITM (man in the middle) proxy to alter the html pages for my needs.

The biggest problem that I'm facing is that CefRequestHandler::OnCertificateError callback isn't triggered for untrusted certificates used by my proxy! I tried with ignore-certificate-errors switch and with websecurity flag set to off without success.

There is another callback to use?

I don't want to install a root certificate because my boss asked to me to consider the (future) possibility to distribuite this application to third parties and installing a CA inside a third party computer may be a serious security issue (basically anyone that owns the application can extract the CA private key and do MITM without being noticed by the user, not very nice).

I am using C# with Xilium.CefGlue but, as far I understand, this problem isn't related to it.

I don't have any kind of problem in rebuilding CEF and/or Xilium.CefGlue, I did it to fix the bugs I faced.

I tried Xilium.CefGlue dca991a20acf and f9edd9354cfc and Cef 3.1750.1704 (cefbuilds) and 3.1916.1750 (patched with #1259 and partially with #1070 for mime type handling)

Thanks!

[magreenblatt]

In the end I decided to leave CEF untouched and use a MITM (man in the middle) proxy to alter the html pages for my needs.

If the certificate is self-signed or otherwise invalid then using the proxy via HTTPS is providing you with no security benefit. Either use HTTP or use a valid certificate.

[magreenblatt]

Initially I tried with custom scheme handler for http and https but, unfortunately, i faced some bugs (some fixed using patches from bug reports, another one, related to flash sync io, not fixed) that forced me to change the way i was doing the stuff.

Which patches are you referring to? Is there a bug report for the flash sync io issue?

[danieledll]

In the end I decided to leave CEF untouched and use a MITM (man in the middle) proxy to alter the html pages for my needs.

If the certificate is self-signed or otherwise invalid then using the proxy via HTTPS is providing you with no security benefit. Either use HTTP or use a valid certificate.

I know, but we don't handle the service, as I said it is a third party service that we don't handle ourself.

Apparently I am dumb: It was my fault with the proxy part, now it works correctly even without a (locally trusted) root certificate.

However if i disable ignore-certificate-errors the CefRequestHandler::OnCertificateError doesn't get called.
My two cents: if ignore certificate errors will ignore invalid proxy certificates too, CefRequestHandler::OnCertificateError should be able to handle invalid proxy certificates too.

Initially I tried with custom scheme handler for http and https but, unfortunately, i faced some bugs (some fixed using patches from bug reports, another one, related to flash sync io, not fixed) that forced me to change the way i was doing the stuff.

Which patches are you referring to? Is there a bug report for the flash sync io issue?

The patches i'm talking about are the ones attached to issues:
- #1259
- #1070, I have applied the part related to mime type handling

The patch #1259 have been applied to the trunk and to ver. 1916 by you (trunk rev 1763, ver. 1916 rev 1764).

By the way, consider to apply the part of the patch 1070 related to the mime type handling, otherwise in custom resource handlers will not be possible to set the mime type.

The flash sync io issue is the issue #1332
https://code.google.com/p/chromiumembed ... il?id=1332

I am very sorry that I am not able to give a full list of steps to reproduce it or to post unit tests: I am not good with C++ and I would need to write a custom resource handler for http/https that handles network requests over threads.

I noticed that CEF3 hangs when using a custom resource handler for http and https that works over the network and flash tries to download some stuff (ex. sound). It does happen mainly while using a release build, with a debug build, probabily, CEF3 is so slow that the network request is able to complete.