[solved] OnLoadError instead of OnCertificateError

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.

[solved] OnLoadError instead of OnCertificateError

Postby olzzen » Tue Jun 15, 2021 5:00 am

Hi,

we are using self-signed certificates in our linux environment. To manage those within CEF we have implemented our own certificate handling including the ability to import the certificate into the nss database. This handling was based on CefRequestHandler::OnCertificateError. After upgrading to version 90.6.7, the error handler is no longer being called for our self-signed certificates. Instead the CefLoadHandler::OnLoadError function is called with an error message
Failed to load URL https://.../index.html with error ERR_INSECURE_RESPONSE (-501).
. Same behaviour could be observed when using cefsimple with the URL.

We have tested this with version 80.0.3987 and cefsimple and it loads the URL without any problems. For the version 90.6.7 the URL in cefsimple loads only when the "ignore-certificate-errors" switch is used.

Why is the CefRequestHandler::OnCertificateError function no longer being called in 90.6.7 for self-signed certificates?

Thanks in advance!
Last edited by olzzen on Fri Jun 18, 2021 12:36 am, edited 1 time in total.
olzzen
Techie
 
Posts: 28
Joined: Fri Oct 23, 2015 1:01 am

Re: OnLoadError instead of OnCertificateError on self-signed

Postby amaitland » Tue Jun 15, 2021 5:15 am

How do certificates from https://badssl.com/ behave?
Maintainer of the CefSharp project.
amaitland
Master
 
Posts: 958
Joined: Wed Jan 14, 2015 2:35 am

Re: OnLoadError instead of OnCertificateError on self-signed

Postby olzzen » Tue Jun 15, 2021 8:54 am

Here are the relevant callstacks...

looks good for badssl.com:
Code: Select all
virtual bool RequestHandler::OnBeforeBrowse(...): url = https://badssl.com/
virtual bool RequestHandler::OnBeforeBrowse(...): url = https://self-signed.badssl.com/
[0615/154138.738281:ERROR:ssl_client_socket_impl.cc(947)] handshake failed; returned -1, SSL error code 1, net_error -202
virtual bool RequestHandler::OnCertificateError(...)


It seems that with our self-signed certificates it depends on the URL...

looks bad if we don't specify the full URL (Browser --url="remotehost"):
Code: Select all
virtual bool RequestHandler::OnBeforeBrowse(...): url = http://remotehost/index.html
virtual bool RequestHandler::OnBeforeBrowse(...): url = https://remotehost/index.html
[0615/154531.307069:ERROR:ssl_client_socket_impl.cc(947)] handshake failed; returned -1, SSL error code 1, net_error -202
virtual void LoadHandler::OnLoadError(...): ERR_INSECURE_RESPONSE (-501)


looks good with full address (Browser --url="https://remotehost");
Code: Select all
virtual bool RequestHandler::OnBeforeBrowse(...): url = https://remotehost/
[0615/154138.738281:ERROR:ssl_client_socket_impl.cc(947)] handshake failed; returned -1, SSL error code 1, net_error -202
virtual bool RequestHandler::OnCertificateError(...)
olzzen
Techie
 
Posts: 28
Joined: Fri Oct 23, 2015 1:01 am

Re: OnLoadError instead of OnCertificateError on self-signed

Postby magreenblatt » Tue Jun 15, 2021 10:13 am

If you don’t specify the scheme it will use “http” not “https”.
magreenblatt
Site Admin
 
Posts: 10923
Joined: Fri May 29, 2009 6:57 pm

Re: OnLoadError instead of OnCertificateError on self-signed

Postby olzzen » Tue Jun 15, 2021 3:11 pm

I think i don't understand that correctly... In the callstack there is a second call to OnBeforeBrowse with "https" scheme, although the cmdline parameter was "--url=remotehost". Where does this second call come from?

Code: Select all
virtual bool RequestHandler::OnBeforeBrowse(...): url = http://remotehost/index.html
virtual bool RequestHandler::OnBeforeBrowse(...): url = https://remotehost/index.html
[0615/154531.307069:ERROR:ssl_client_socket_impl.cc(947)] handshake failed; returned -1, SSL error code 1, net_error -202
virtual void LoadHandler::OnLoadError(...): ERR_INSECURE_RESPONSE (-501)


The behaviour must have changed, or why is the OnCertificateError callback not being triggered although the ssl handhake failed ([0615/154531.307069:ERROR:ssl_client_socket_impl.cc(947)] handshake failed;)?
olzzen
Techie
 
Posts: 28
Joined: Fri Oct 23, 2015 1:01 am

Re: OnLoadError instead of OnCertificateError on self-signed

Postby magreenblatt » Tue Jun 15, 2021 3:22 pm

Maybe the remote host is redirecting you to https. I suggest viewing network activity in DevTools or using chrome://net-export/
magreenblatt
Site Admin
 
Posts: 10923
Joined: Fri May 29, 2009 6:57 pm

Re: OnLoadError instead of OnCertificateError on self-signed

Postby olzzen » Wed Jun 16, 2021 1:06 am

Ok, that is probably the case. But what is the correct procedure to handle the certificate errors in that case?

We want to support the known treatment of certificate errors, where the user can select wether or not to proceed to the target or to import the certificate into the nss database.
Before the update to 90.6.7 the working implementation was as follows:

Code: Select all
bool RequestHandler::OnBeforeBrowse(...)
{
  if ( url == "certificate:import" )
  {
    importCertificateToNssDB(...);
    return true;
  }
  return false;
}

bool RequestHandler::OnCertificateError(...)
{
  _certificateErrorHandler->loadCertificateErrorPage(...); // Loads a page into the mainframe. Within the page two buttons were created with a href to "certificate:ignore_error" and "certificate:import".
  _lastErrorRequestCallback = callback;
  _lastRequestURL = request->GetURL();
  return true;
}

CefRequestHandler::ReturnValue RequestHandler::OnBeforeResourceLoad(...)
{
  if ( url == "certificate:ignore_error" )
  {
    request->SetURL(_lastRequestURL);
    _lastErrorRequestCallback->Continue(true);
    _lastErrorRequestCallback->Release();
  }
  return RV_CONTINUE;
}


Perhaps that was not the correct solution, and that's why it nowadays does not work. But in that case we would appreciate any hint on the correct way of implementing the described behavior.
olzzen
Techie
 
Posts: 28
Joined: Fri Oct 23, 2015 1:01 am

Re: OnLoadError instead of OnCertificateError on self-signed

Postby magreenblatt » Wed Jun 16, 2021 9:28 am

The error codes should improve with https://bitbucket.org/chromiumembedded/ ... quests/373. Perhaps that will provide the information that you’re missing currently.
magreenblatt
Site Admin
 
Posts: 10923
Joined: Fri May 29, 2009 6:57 pm

Re: OnLoadError instead of OnCertificateError on self-signed

Postby olzzen » Wed Jun 16, 2021 10:33 am

Ok, but this means we have to wait for the pull-request to be accepted and then we must use an unstable CEF-version?

Do you see any problems with our implementation shown in the previous post?
olzzen
Techie
 
Posts: 28
Joined: Fri Oct 23, 2015 1:01 am

Re: OnLoadError instead of OnCertificateError on self-signed

Postby magreenblatt » Wed Jun 16, 2021 10:41 am

It seems reasonable to me that OnCertificateError may not be called, and OnLoadError will be called, depending on why the SSL connection failed. For example, I would not expect OnCertificateError to be called if the connection failed prior to evaluating the certificate. We do not have test coverage for this condition, so I can’t tell you whether the behavior has changed recently or what, exactly, to expect from the current behavior.
magreenblatt
Site Admin
 
Posts: 10923
Joined: Fri May 29, 2009 6:57 pm

Next

Return to Support Forum

Who is online

Users browsing this forum: Google [Bot] and 18 guests