Chromium Embedded Framework Forum

[aleitner]

I want to display an error page for all the red URLs on https://badssl.com but a select few of the pages that are meant to have certificate errors don't cause the on_certificate_error or on_load_error callbacks to be called and the page loads without issue.

If I navigate to https://expired.badssl.com I see that on_certificate_error and on_load_error get called.
If I navigate to https://revoked.badssl.com I see that neither are called.

This is true for the following pages:

https://pinning-test.badssl.com/
https://revoked.badssl.com/
https://no-sct.badssl.com/
https://mixed-script.badssl.com/
https://very.badssl.com/
http://http.badssl.com/
https://mozilla-old.badssl.com/

Any idea why some certificate errors don't appear to be handled? Currently on 132.3.2+g4997b2f+chromium-132.0.6834.161

[magreenblatt]

Do error pages display for those links in Google Chrome at the same version? Do error pages display in CEF?

[aleitner]

So I went through and compared with a browser also running version 132. Websites that cause an error page with the following error codes in my chrome browser are not causing the on_certificate_error or on_load_error callbacks to be called within my application using CEF

ERR_CERT_REVOKED - https://expired.badssl.com
ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN - https://pinning-test.badssl.com/
ERR_CERTIFICATE_TRANSPARENCY_BLOCKED - https://no-sct.badssl.com/

[magreenblatt]

Are CEF sample apps showing an error page for these URLs?

[aleitner]

Are CEF sample apps showing an error page for these URLs?

I haven't been able to get a test using cefsimple yet, but using the spotify precompiled binaries we don't see errors for those URLs

[magreenblatt]

ERR_CERT_REVOKED - https://expired.badssl.com
ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN - https://pinning-test.badssl.com/
ERR_CERTIFICATE_TRANSPARENCY_BLOCKED - https://no-sct.badssl.com/

I'm seeing the "Your connection is not private" interstitial page for https://expired.badssl.com/ in both Google Chrome and cefclient at M133. The other 2 URLs load successfully in cefclient because key pinning and certificate transparency are Google Chrome-only features disabled by default for Chromium embedders (details here and here).

[aleitner]

ERR_CERT_REVOKED - https://expired.badssl.com
ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN - https://pinning-test.badssl.com/
ERR_CERTIFICATE_TRANSPARENCY_BLOCKED - https://no-sct.badssl.com/

I'm seeing the "Your connection is not private" interstitial page for https://expired.badssl.com/ in both Google Chrome and cefclient at M133. The other 2 URLs load successfully in cefclient because key pinning and certificate transparency are Google Chrome-only features disabled by default for Chromium embedders (details here and here).

I updated my browser itself to 133 and I am now seeing the "Your connection is not private" page as well for the URLs now. I guess something was changed for this from 132 to 133! Need to update my code to work with 133 and test that as well

[aleitner]

When navigating to https://revoked.badssl.com/

Using Chromium Version 133.0.6943.98: I see the "Your connection is not private" interstitial page.

Using Spotify precompiled binary 133.4.2+g0852ba6+chromium-133.0.6943.127: I navigate to the page without any errors nor an interstitial page displayed.

Is there perhaps a flag that needs to be set for revoked certs to be handled properly?

[aleitner]

I have also built 133.4.2+g0852ba6+chromium-133.0.6943.127 myself and still no errors or interstitial page for https://revoked.badssl.com/

[magreenblatt]

Revocation may be part of certificate transparency, and may be unavailable by default in Chromium. See https://www.chromium.org/Home/chromium- ... y/crlsets/