[solved] OnCertificateError called for trusted cert in nssdb

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.

[solved] OnCertificateError called for trusted cert in nssdb

Postby olzzen » Tue Jun 22, 2021 6:27 am

Hi,

we have implemented a certificate management, which enables the user to import a certificate (e.g. self-signed) into the user-dependent nssdb. (For information about nssdb: https://chromium.googlesource.com/chrom ... agement.md
Before we updated the used CEF version from 3.2785.1485 to M91 the following workflow works as expected.

1. Navigate a webpage with a self-signed certificate (e.g. https://myhomepage)
2. The RequestHandler::OnCertificateError gets called
2.1 Create a page with informations about the certificate and a button to import the certificate
2.2 Save the callback, load the information page and return true
3. If the user decides to import the certificate, it will be imported into the user-dependent nssdb (~/.pki/nssdb). The used trust attributes are determined in respect of the cef_cert_status_t value.
4. If the certificate was successfully imported, reload the url by executing the saved callback. Before the CEF update this works as expected and the webpage was loaded correctly.

The import of the certificate may result in the following nssdb-entry:
Code: Select all
# certutil -L -d ~/.pki/nssdb

Certificate Nickname                                         Trust Attributes
                                                                          SSL,S/MIME,JAR/XPI

myhomepage                                                     P,, 


We have done the following tests with https://myhomepage:
chromium loads the url without any problem, as long as the certificate is present in the nssdb. Otherwise it shows an error page.
cefsimple basically shows a blank page.
with CEF version 80.1.15 cefsimple works as expected

Tested also with badssl.com. The difference here is, that cefsimple does nothing when trying to click the "self-signed" button.

After the update it seems that ?CEF? doesn't use the nssdb anymore. Any suggestions?
Last edited by olzzen on Wed Sep 08, 2021 2:24 am, edited 1 time in total.
olzzen
Techie
 
Posts: 46
Joined: Fri Oct 23, 2015 1:01 am

Re: OnCertificateError called for trusted cert in nssdb

Postby olzzen » Tue Jun 29, 2021 1:23 am

Does nobody have an idea why this behavior has changed?

I found a somewhat relevant crbug: https://bugs.chromium.org/p/chromium/is ... ssdb&can=1
If i interpret this correctly, self-signed certificates are generally treated as unsecure by chromium. If this is indeed the case, is there any way to control this behavior through CEF?
olzzen
Techie
 
Posts: 46
Joined: Fri Oct 23, 2015 1:01 am

Re: OnCertificateError called for trusted cert in nssdb

Postby magreenblatt » Tue Jun 29, 2021 9:19 am

I would guess that your "load the information page" step (done how?) is invalidating the navigation to the page with the self-signed cert, and consequently executing the CefRequestCallback callback originally passed to OnCertificateError does not resume the original navigation. You likely need to instead re-navigate to the page that failed to load (via LoadURL, etc) and allow the self-signed cert when (if?) OnCertificateError is called for that 2nd navigation.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: OnCertificateError called for trusted cert in nssdb

Postby olzzen » Thu Jul 22, 2021 4:11 am

Sorry for the late response, i was on vacation :)

Did you read the following in my original post:
We have done the following tests with https://myhomepage:
chromium loads the url without any problem, as long as the certificate is present in the nssdb. Otherwise it shows an error page.
cefsimple basically shows a blank page.
with CEF version 80.1.15 cefsimple works as expected

Tested also with badssl.com. The difference here is, that cefsimple does nothing when trying to click the "self-signed" button.

After the update it seems that ?CEF? doesn't use the nssdb anymore. Any suggestions?


This seems to be a bug, isn't it? Certificates already marked as trusted in the nssdb should not raise a certificate error.
olzzen
Techie
 
Posts: 46
Joined: Fri Oct 23, 2015 1:01 am

Re: OnCertificateError called for trusted cert in nssdb

Postby magreenblatt » Thu Jul 22, 2021 8:50 am

olzzen wrote:Sorry for the late response, i was on vacation :)

Did you read the following in my original post:
We have done the following tests with https://myhomepage:
chromium loads the url without any problem, as long as the certificate is present in the nssdb. Otherwise it shows an error page.
cefsimple basically shows a blank page.
with CEF version 80.1.15 cefsimple works as expected

Tested also with badssl.com. The difference here is, that cefsimple does nothing when trying to click the "self-signed" button.

After the update it seems that ?CEF? doesn't use the nssdb anymore. Any suggestions?


This seems to be a bug, isn't it? Certificates already marked as trusted in the nssdb should not raise a certificate error.

Yes, it could be a bug. Are you able to debug it further with a local CEF/Chromium build?
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: OnCertificateError called for trusted cert in nssdb

Postby olzzen » Fri Jul 23, 2021 4:27 am

Possibly no, because we are tied to a Suse Linux Enterprise (version 12) where the build dependencies are not met.
olzzen
Techie
 
Posts: 46
Joined: Fri Oct 23, 2015 1:01 am

Re: OnCertificateError called for trusted cert in nssdb

Postby olzzen » Fri Jul 23, 2021 4:58 am

Tried the automated build for CEF which failed with the following error:

Code: Select all
# ./install-build-deps.sh --no-arm --no-chromeos-fonts --no-nacl
ERROR: The only supported distros are
        Ubuntu 14.04 LTS (trusty with EoL April 2022)
        Ubuntu 16.04 LTS (xenial with EoL April 2024)
        Ubuntu 18.04 LTS (bionic with EoL April 2028)
        Ubuntu 20.04 LTS (focal with Eol April 2030)
        Ubuntu 20.10 (groovy)
        Debian 10 (buster) or later
olzzen
Techie
 
Posts: 46
Joined: Fri Oct 23, 2015 1:01 am

Re: OnCertificateError called for trusted cert in nssdb

Postby magreenblatt » Fri Jul 23, 2021 9:25 am

What distro are you using? If it's similar to one of the above you could try disabling that check in the script. Or you could install one of the required distros in a VM or similar.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: OnCertificateError called for trusted cert in nssdb

Postby olzzen » Tue Jul 27, 2021 9:16 am

As mentioned before, we are using Suse Linux Enterprise 12.
Disabling the check of the distro does lead to other failures such as "apt-get: command not found".
Perhaps we get more time to support the analysis, but this has to be approved first.
olzzen
Techie
 
Posts: 46
Joined: Fri Oct 23, 2015 1:01 am

Re: OnCertificateError called for trusted cert in nssdb

Postby olzzen » Mon Sep 06, 2021 6:44 am

Till now we haven't got time to debug any further.

I would guess that your "load the information page" step (done how?) is invalidating the navigation to the page ...


Perhaps this is the case, how can we test this?
The following code is a minimal sample of our implementation:

Code: Select all
bool RequestHandler::OnCertificateError(CefRefPtr<CefBrowser> browser, cef_errorcode_t cert_error,
                                        const CefString &request_url,
                                        CefRefPtr<CefSSLInfo> ssl_info,
                                        CefRefPtr<CefRequestCallback> callback)
{
    // If the button "I know the risk, continue..." in the information page (see below) was clicked, the following condition evaluates to *true*
    if (lastCertificateErrorRequestURL == request_url.ToString())
    {
        callback->Continue(true);
        return true;
    }

    loadCertificateErrorPage(browser->GetMainFrame(), request_url, cert_error, ssl_info);

    if (callback)
    {
        lastCertificateErrorRequestURL = request_url.ToString();
        lastCertificateErrorCallback = callback;
    }

    return true;
}

void RequestHandler::loadCertificateErrorPage(CefRefPtr<CefFrame> frame, const CefString &request_url, cef_error_codee_t cert_error, CefRefPtr<CefSSLInfo> ssl_info)
{
    // Within the html is a button with a href to the *request_url* ("I know the risk, continue...").
    auto html{createCertificateErrorPage(request_url, cert_error, ssl_info)};
    frame->loadURL(createDataUri(html));
}


Do you see any problems with this implementation? Any hints to correct failures would be very appreciated.
olzzen
Techie
 
Posts: 46
Joined: Fri Oct 23, 2015 1:01 am

Next

Return to Support Forum

Who is online

Users browsing this forum: Google [Bot] and 35 guests