CEF Forum

Hi,

we are using self-signed certificates in our linux environment. To manage those within CEF we have implemented our own certificate handling including the ability to import the certificate into the nss database. This handling was based on CefRequestHandler::OnCertificateError. After upgrading to version 90.6.7, the error handler is no longer being called for our self-signed certificates. Instead the CefLoadHandler::OnLoadError function is called with an error message

Failed to load URL https://.../index.html with error ERR_INSECURE_RESPONSE (-501).

. Same behaviour could be observed when using cefsimple with the URL.

We have tested this with version 80.0.3987 and cefsimple and it loads the URL without any problems. For the version 90.6.7 the URL in cefsimple loads only when the "ignore-certificate-errors" switch is used.

Why is the CefRequestHandler::OnCertificateError function no longer being called in 90.6.7 for self-signed certificates?

Thanks in advance!

How do certificates from https://badssl.com/ behave?

Here are the relevant callstacks...

looks good for badssl.com:

Code: Select all

virtual bool RequestHandler::OnBeforeBrowse(...): url = https://badssl.com/
virtual bool RequestHandler::OnBeforeBrowse(...): url = https://self-signed.badssl.com/
[0615/154138.738281:ERROR:ssl_client_socket_impl.cc(947)] handshake failed; returned -1, SSL error code 1, net_error -202
virtual bool RequestHandler::OnCertificateError(...)


It seems that with our self-signed certificates it depends on the URL...

looks bad if we don't specify the full URL (Browser --url="remotehost"):

Code: Select all

virtual bool RequestHandler::OnBeforeBrowse(...): url = http://remotehost/index.html
virtual bool RequestHandler::OnBeforeBrowse(...): url = https://remotehost/index.html
[0615/154531.307069:ERROR:ssl_client_socket_impl.cc(947)] handshake failed; returned -1, SSL error code 1, net_error -202
virtual void LoadHandler::OnLoadError(...): ERR_INSECURE_RESPONSE (-501)


looks good with full address (Browser --url="https://remotehost");

Code: Select all

virtual bool RequestHandler::OnBeforeBrowse(...): url = https://remotehost/
[0615/154138.738281:ERROR:ssl_client_socket_impl.cc(947)] handshake failed; returned -1, SSL error code 1, net_error -202
virtual bool RequestHandler::OnCertificateError(...)


If you don’t specify the scheme it will use “http” not “https”.

I think i don't understand that correctly... In the callstack there is a second call to OnBeforeBrowse with "https" scheme, although the cmdline parameter was "--url=remotehost". Where does this second call come from?

Code: Select all

virtual bool RequestHandler::OnBeforeBrowse(...): url = http://remotehost/index.html
virtual bool RequestHandler::OnBeforeBrowse(...): url = https://remotehost/index.html
[0615/154531.307069:ERROR:ssl_client_socket_impl.cc(947)] handshake failed; returned -1, SSL error code 1, net_error -202
virtual void LoadHandler::OnLoadError(...): ERR_INSECURE_RESPONSE (-501)


The behaviour must have changed, or why is the OnCertificateError callback not being triggered although the ssl handhake failed ([0615/154531.307069:ERROR:ssl_client_socket_impl.cc(947)] handshake failed;)?

Maybe the remote host is redirecting you to https. I suggest viewing network activity in DevTools or using chrome://net-export/

Ok, that is probably the case. But what is the correct procedure to handle the certificate errors in that case?

We want to support the known treatment of certificate errors, where the user can select wether or not to proceed to the target or to import the certificate into the nss database.
Before the update to 90.6.7 the working implementation was as follows:

Code: Select all

bool RequestHandler::OnBeforeBrowse(...)
{
  if ( url == "certificate:import" )
  {
    importCertificateToNssDB(...);
    return true;
  }
  return false;
}

bool RequestHandler::OnCertificateError(...)
{
  _certificateErrorHandler->loadCertificateErrorPage(...); // Loads a page into the mainframe. Within the page two buttons were created with a href to "certificate:ignore_error" and "certificate:import".
  _lastErrorRequestCallback = callback;
  _lastRequestURL = request->GetURL();
  return true;
}

CefRequestHandler::ReturnValue RequestHandler::OnBeforeResourceLoad(...)
{
  if ( url == "certificate:ignore_error" )
  {
    request->SetURL(_lastRequestURL);
    _lastErrorRequestCallback->Continue(true);
    _lastErrorRequestCallback->Release();
  }
  return RV_CONTINUE;
}


Perhaps that was not the correct solution, and that's why it nowadays does not work. But in that case we would appreciate any hint on the correct way of implementing the described behavior.

The error codes should improve with https://bitbucket.org/chromiumembedded/ ... quests/373. Perhaps that will provide the information that you’re missing currently.

Ok, but this means we have to wait for the pull-request to be accepted and then we must use an unstable CEF-version?

Do you see any problems with our implementation shown in the previous post?

It seems reasonable to me that OnCertificateError may not be called, and OnLoadError will be called, depending on why the SSL connection failed. For example, I would not expect OnCertificateError to be called if the connection failed prior to evaluating the certificate. We do not have test coverage for this condition, so I can’t tell you whether the behavior has changed recently or what, exactly, to expect from the current behavior.