Chromium Embedded Framework Forum

Forum for support and discussion of the Chromium Embedded Framework (CEF)
Visit the CEF Project Site to download CEF and report issues.

Skip to content

[SOLVED] pinning-test.badssl.com not triggering cert error

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.
Forum rules
Post a reply

[SOLVED] pinning-test.badssl.com not triggering cert error

Postby ndesktop » Tue Jun 26, 2018 2:27 am

I'm debugging CEF for the URL https://pinning-test.badssl.com/ and no error is triggered.
For some reason CERT_STATUS_PINNED_KEY_MISSING is not fired.

"Show SSL Information" from the contextual menu also does not show Status error (in fact, it does not show any status).

Chrome blocks the page and displays
Code: Select all
Your connection is not private
Attackers might be trying to steal your information from pinning-test.badssl.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
 


Is there any option/custom modification in CEF/Chromium source code that might help to catch this?
I've placed breakpoints in all ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN places I could find in CEF 3282 (I know, deprecated) but no stop.

The page displays in cefclient
"This site is preloaded with a bad HPKP pin starting in Chrome 48."
so I don't think is 3282 related.
Last edited by ndesktop on Wed Jul 04, 2018 2:42 am, edited 1 time in total.
ndesktop
Master
 
Posts: 755
Joined: Thu Dec 03, 2015 10:10 am
Top

Re: pinning-test.badssl.com not triggering certificate error

Postby Czarek » Sun Jul 01, 2018 10:38 pm

Not sure if related, but It seems CEF is missing these cert flags that are defined in upstream:

Code: Select all
// Bits 24 - 31 are for errors.
CERT_STATUS_FLAG(CERTIFICATE_TRANSPARENCY_REQUIRED, 1 << 24)
CERT_STATUS_FLAG(SYMANTEC_LEGACY, 1 << 25)


There is this comment in CEF header file cef_types.h:

Code: Select all
// Bits 16 to 31 are for non-error statuses.

Which seems wrong.
Maintainer of the CEF Python, PHP Desktop and CEF C API projects. My LinkedIn.
User avatar
Czarek
Virtuoso
 
Posts: 1927
Joined: Sun Nov 06, 2011 2:12 am
Top

Re: pinning-test.badssl.com not triggering certificate error

Postby ndesktop » Mon Jul 02, 2018 12:32 am

Might be right.

In Chromium source code search for ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN I see this is handled explicitely:
Code: Select all
bool IsCertificateError(int error) {
  // Certificate errors are negative integers from net::ERR_CERT_BEGIN
  // (inclusive) to net::ERR_CERT_END (exclusive) in *decreasing* order.
  // ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN is currently an exception to this
  // rule.
  return (error <= ERR_CERT_BEGIN && error > ERR_CERT_END) ||
         (error == ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN);
}
ndesktop
Master
 
Posts: 755
Joined: Thu Dec 03, 2015 10:10 am
Top

Re: pinning-test.badssl.com not triggering certificate error

Postby ndesktop » Mon Jul 02, 2018 12:59 am

Filed issue 2467.
I'm planning a patch in the next days, but if is something simple and someone else is quicker, by all means PR this one.
ndesktop
Master
 
Posts: 755
Joined: Thu Dec 03, 2015 10:10 am
Top

Re: pinning-test.badssl.com not triggering certificate error

Postby ndesktop » Wed Jul 04, 2018 2:40 am

HPKP is not enabled for developer builds. Closing issue as invalid, since CEF for sure won't maintain official pins.
ndesktop
Master
 
Posts: 755
Joined: Thu Dec 03, 2015 10:10 am
Top
Post a reply

Return to Support Forum

Who is online

Users browsing this forum: Google [Bot], ndesktop, richardmgoodin and 48 guests

Powered by phpBB® Forum Software © phpBB Group