SSL Requests through mitm proxy with self signed certs hangs headless_shell with deterministic-fetch
Reported by
jon.norm...@gmail.com,
Feb 26 2017
|
||||||||||
Issue descriptionSteps to reproduce the problem: 1. Run a mitm proxy 2. Run `headless_shell --proxy-server=localhost:4432 https://google.com` 3. Observe how the headless_shell hangs UPDATE: Running the headess_shell with --deterministic-fetch appears not to hang and the process stops with additional logs from http_url_fetcher `headless_shell --proxy-server=localhost:4432 --deterministic-fetch https://google.com` What is the expected behaviour? The headless_shell doesn't hang when the ssl_certs are not valid for the destined host. Even better (which might be a new feature) is to have a switch to ignore ssl certs - so I don't have to use deterministic-fetch and modify the http_url_fetcher to continue discarding the errors. What went wrong? BUILT FROM SOURCE: OS: Ubuntu 16.10 GIT_HEAD_SHA: 5cd9ae8889c732428043460caa5d0fd8043041c1 ARGS.GN FILE <<-EOF import("//build/args/headless.gn") is_component_build = false is_debug = false dcheck_always_on = false symbol_level = 0 remove_webcore_debug_symbols = true enable_nacl = true EOF ISSUE: We have the tests which mock out the third party requests by intercepting them with a mitm proxy which replays previously recorded requests. For later replay offline, however it appears that this doesn't work well with the headless_shell and instead hangs after logging to the console from cert_verify_proc_nss.cc and you need to send signal SIGINT to end the process. This appears to be the same with the CLI args or over selenium-webdriver. Below is the simplest example and output from the console when an ssl request is passed through a proxy. $ headless_shell --proxy-server=localhost:4432 https://google.com [0226/160928.332964:ERROR:cert_verify_proc_nss.cc(918)] CERT_PKIXVerifyCert for app.dev.geckoboard.com failed err=-8172 UPDATE: When running the headless_shell with --deterministic-fetch it appears to be correctly handled and stops the process and is handled further up by http_url_fetcher. $ headless_shell --proxy-server=localhost:4432 --deterministic-fetch https://google.com [0226/163908.288197:ERROR:cert_verify_proc_nss.cc(918)] CERT_PKIXVerifyCert for google.com failed err=-8172 [0226/163908.289071:WARNING:http_url_fetcher.cc(95)] SSL certificate error, aborting. Probably a new feature request but I would like not to have to use the --deterministic-fetch in the future, and also would love to be able to control ignoring certificate errors by the use of a command switch like --ignore-certificate-errors which I didn't see in src/headless/app/headless_shell_switches.cc is this something you think might become available soon or is in the pipeline to be built ? Because for clients like selenium webdriver it would be a pain to have to handle it via devtools instead of having a global ignore cert errors. As this ticket appears to mention; https://bugs.chromium.org/p/chromium/issues/detail?id=659662 Thanks for the great work going into headless shell/headless chromium - I'm looking forward to being able to fully migrate our suite in the near future, and the speed so far is crazy fast from what I have seen so far. Did this work before? N/A Chrome version: headless_shell
,
Feb 26 2017
In the first step `Run a mitm proxy` you can use the golang binary attached and just run as dvr -replay-only for a quick check. (It didn't let me upload earlier)
,
Feb 27 2017
,
Feb 27 2017
headless_shell OWNERS: Is there a better component to direct this to? I don't believe it's related to TLS or certificates (despite the components), and suspect one of y'all would know how to triage this appropriately. I'm fairly certain the cert error is entirely a red herring with respect to what code is causing the issue, although it may be part of the sequence of events to tickle this. Note: We are working to try to remove --ignore-certificate-errors (it's in the early stage), so it would not be the recommended path.
,
Feb 27 2017
,
Feb 27 2017
We have a label, but no component :)
,
Feb 27 2017
We are working on support to handle certificate errors via DevTools. That should make it possible to avoid the hang, by manually dismissing the error.
,
Feb 27 2017
Thanks, let's revisit once the blocking bug is resolved.
,
Mar 27 2017
FYI, blocking bug is resolved.
,
May 15 2017
,
Jul 19 2017
Any updates about it? Thank you!
,
Aug 13 2017
I'm going to resolve this since it should be possible to use the handleCertificateErrors to manage this.
,
Aug 14 2017
@dvallet, could you provide any reference or example, how to use dev tool and handleCertificateErrors particularly using chromedriver / selenium webdriver? I'd really appreciate it! Thanks.
,
Aug 14 2017
There's a separate bug for this with chromedriver: https://bugs.chromium.org/p/chromium/issues/detail?id=721739 But here's essentially how this is done over the protocol: https://github.com/cyrus-and/chrome-remote-interface/wiki/Bypass-certificate-errors-(%22Your-connection-is-not-private%22)
,
Aug 15
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 15
,
Oct 5
I realize that --ignore-certificate-errors is deprecated but I thought it was replaced with --ignore-certificate-errors-spki-list which --headless ignores. I'm trying to do something similar to telemetery and webpage replay which uses a socks proxy and --ignore-certificate-errors-spki-list https://cs.chromium.org/chromium/src/third_party/catapult/telemetry/telemetry/internal/backends/chrome/chrome_startup_args.py?q=ignore-certificate-errors-spki-list&sq=package:chromium&dr=C&l=111 |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by jon.norm...@gmail.com
, Feb 26 20177.0 MB
7.0 MB View Download