CERT_VERIFIER_REQUEST gets cancelled after 30 seconds
Reported by
john.hen...@gmail.com,
Apr 1 2017
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Example URL: github.com Steps to reproduce the problem: The problem occurs sporadic, there are no clear steps to reproduce. However, the common part is that if certificate verification fails, it is always an SSL site and the browser displays "establishing secure connection" in the status bar. Being persistent will usually load the site after a few tries. Now I get "This site can’t be reached" after 30 seconds. What is the expected behavior? Instant loading of the page. What went wrong? From what it looks like this: t=42162 [st= 192] +CERT_VERIFIER_REQUEST [dt=29904] t=42162 [st= 192] CERT_VERIFIER_REQUEST_BOUND_TO_JOB --> source_dependency = 2084162 (CERT_VERIFIER_JOB) t=72066 [st=30096] CANCELLED t=72066 [st=30096] -CERT_VERIFIER_REQUEST t=72066 [st=30096] -SOCKET_IN_USE t=72066 [st=30096] -SOCKET_ALIVE I read that certificate validation in Chrome is delegated to the OS (https://bugs.chromium.org/p/chromium/issues/detail?id=501795#c14). I don't trust my OS, so it has no internet access (no proxy is configured, effectively cutting off internet access as direct access is disabled). Chrome (and other browsers) have internet access through a proxy plugin (FoxyProxy), however it seems to still access the internet through other means (certificate verification apparently). Did this work before? No Chrome version: 56.0.2924.87 Channel: stable OS Version: 10.0 Flash Version: Shockwave Flash 24.0 r0 I'm trying to understand the problem better, and seeing if I can give the host OS partial internet access so it can verify certificates only, or to configure Chrome in such a way that it verifies certificates through the configured proxy. What I also donot understand is why the websites will load after a while. Does this mean Chrome will eventually display unverified websites if verification failed? That seems like a security issue...
,
Apr 3 2017
Do you see this sporadically on the same site, or are there sites that always timeout and others that always eventually load? Depending on what parts of the OS you are blocking, its possible that the Windows Cert Verifier is only able to verify certs whose complete chains can be built locally (not including AAIA fetching/cert fetching).
,
Apr 3 2017
@Comment 2: The issue is Github.com uses an EV cert, not covered by a CA covered by CRLSets, and thus we attempt an OCSP/CRL fetch as part of that.
I'm closing this as WontFix/WorksAsIntended, because the reporter identified that the issue is local configuration ("I don't trust my OS, so it has no internet access"). At present, that's not a supported configuration, and while it's useful as a feature request, is not on the roadmap explicitly to support.
,
Apr 3 2017
Almost everything eventually loads after a retry or two. It is not all sites, but I didn't identify a pattern. The comment about the different types of certificates is interesting. Is there any way to force an OSCP/CRL fetch always? |
|||
►
Sign in to add a comment |
|||
Comment 1 by ranjitkan@chromium.org
, Apr 3 2017