OnCertificateError called for trusted cert in nssdb

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.

OnCertificateError called for trusted cert in nssdb

Postby olzzen » Tue Jun 22, 2021 6:27 am

Hi,

we have implemented a certificate management, which enables the user to import a certificate (e.g. self-signed) into the user-dependent nssdb. (For information about nssdb: https://chromium.googlesource.com/chrom ... agement.md
Before we updated the used CEF version from 3.2785.1485 to M91 the following workflow works as expected.

1. Navigate a webpage with a self-signed certificate (e.g. https://myhomepage)
2. The RequestHandler::OnCertificateError gets called
2.1 Create a page with informations about the certificate and a button to import the certificate
2.2 Save the callback, load the information page and return true
3. If the user decides to import the certificate, it will be imported into the user-dependent nssdb (~/.pki/nssdb). The used trust attributes are determined in respect of the cef_cert_status_t value.
4. If the certificate was successfully imported, reload the url by executing the saved callback. Before the CEF update this works as expected and the webpage was loaded correctly.

The import of the certificate may result in the following nssdb-entry:
Code: Select all
# certutil -L -d ~/.pki/nssdb

Certificate Nickname                                         Trust Attributes
                                                                          SSL,S/MIME,JAR/XPI

myhomepage                                                     P,, 


We have done the following tests with https://myhomepage:
chromium loads the url without any problem, as long as the certificate is present in the nssdb. Otherwise it shows an error page.
cefsimple basically shows a blank page.
with CEF version 80.1.15 cefsimple works as expected

Tested also with badssl.com. The difference here is, that cefsimple does nothing when trying to click the "self-signed" button.

After the update it seems that ?CEF? doesn't use the nssdb anymore. Any suggestions?
olzzen
Techie
 
Posts: 28
Joined: Fri Oct 23, 2015 1:01 am

Re: OnCertificateError called for trusted cert in nssdb

Postby olzzen » Tue Jun 29, 2021 1:23 am

Does nobody have an idea why this behavior has changed?

I found a somewhat relevant crbug: https://bugs.chromium.org/p/chromium/is ... ssdb&can=1
If i interpret this correctly, self-signed certificates are generally treated as unsecure by chromium. If this is indeed the case, is there any way to control this behavior through CEF?
olzzen
Techie
 
Posts: 28
Joined: Fri Oct 23, 2015 1:01 am

Re: OnCertificateError called for trusted cert in nssdb

Postby magreenblatt » Tue Jun 29, 2021 9:19 am

I would guess that your "load the information page" step (done how?) is invalidating the navigation to the page with the self-signed cert, and consequently executing the CefRequestCallback callback originally passed to OnCertificateError does not resume the original navigation. You likely need to instead re-navigate to the page that failed to load (via LoadURL, etc) and allow the self-signed cert when (if?) OnCertificateError is called for that 2nd navigation.
magreenblatt
Site Admin
 
Posts: 10939
Joined: Fri May 29, 2009 6:57 pm

Re: OnCertificateError called for trusted cert in nssdb

Postby olzzen » Thu Jul 22, 2021 4:11 am

Sorry for the late response, i was on vacation :)

Did you read the following in my original post:
We have done the following tests with https://myhomepage:
chromium loads the url without any problem, as long as the certificate is present in the nssdb. Otherwise it shows an error page.
cefsimple basically shows a blank page.
with CEF version 80.1.15 cefsimple works as expected

Tested also with badssl.com. The difference here is, that cefsimple does nothing when trying to click the "self-signed" button.

After the update it seems that ?CEF? doesn't use the nssdb anymore. Any suggestions?


This seems to be a bug, isn't it? Certificates already marked as trusted in the nssdb should not raise a certificate error.
olzzen
Techie
 
Posts: 28
Joined: Fri Oct 23, 2015 1:01 am

Re: OnCertificateError called for trusted cert in nssdb

Postby magreenblatt » Thu Jul 22, 2021 8:50 am

olzzen wrote:Sorry for the late response, i was on vacation :)

Did you read the following in my original post:
We have done the following tests with https://myhomepage:
chromium loads the url without any problem, as long as the certificate is present in the nssdb. Otherwise it shows an error page.
cefsimple basically shows a blank page.
with CEF version 80.1.15 cefsimple works as expected

Tested also with badssl.com. The difference here is, that cefsimple does nothing when trying to click the "self-signed" button.

After the update it seems that ?CEF? doesn't use the nssdb anymore. Any suggestions?


This seems to be a bug, isn't it? Certificates already marked as trusted in the nssdb should not raise a certificate error.

Yes, it could be a bug. Are you able to debug it further with a local CEF/Chromium build?
magreenblatt
Site Admin
 
Posts: 10939
Joined: Fri May 29, 2009 6:57 pm

Re: OnCertificateError called for trusted cert in nssdb

Postby olzzen » Fri Jul 23, 2021 4:27 am

Possibly no, because we are tied to a Suse Linux Enterprise (version 12) where the build dependencies are not met.
olzzen
Techie
 
Posts: 28
Joined: Fri Oct 23, 2015 1:01 am

Re: OnCertificateError called for trusted cert in nssdb

Postby olzzen » Fri Jul 23, 2021 4:58 am

Tried the automated build for CEF which failed with the following error:

Code: Select all
# ./install-build-deps.sh --no-arm --no-chromeos-fonts --no-nacl
ERROR: The only supported distros are
        Ubuntu 14.04 LTS (trusty with EoL April 2022)
        Ubuntu 16.04 LTS (xenial with EoL April 2024)
        Ubuntu 18.04 LTS (bionic with EoL April 2028)
        Ubuntu 20.04 LTS (focal with Eol April 2030)
        Ubuntu 20.10 (groovy)
        Debian 10 (buster) or later
olzzen
Techie
 
Posts: 28
Joined: Fri Oct 23, 2015 1:01 am

Re: OnCertificateError called for trusted cert in nssdb

Postby magreenblatt » Fri Jul 23, 2021 9:25 am

What distro are you using? If it's similar to one of the above you could try disabling that check in the script. Or you could install one of the required distros in a VM or similar.
magreenblatt
Site Admin
 
Posts: 10939
Joined: Fri May 29, 2009 6:57 pm

Re: OnCertificateError called for trusted cert in nssdb

Postby olzzen » Tue Jul 27, 2021 9:16 am

As mentioned before, we are using Suse Linux Enterprise 12.
Disabling the check of the distro does lead to other failures such as "apt-get: command not found".
Perhaps we get more time to support the analysis, but this has to be approved first.
olzzen
Techie
 
Posts: 28
Joined: Fri Oct 23, 2015 1:01 am


Return to Support Forum

Who is online

Users browsing this forum: No registered users and 18 guests