Issue metadata
Sign in to add a comment
|
requirement of client cert blocks Chrome in a manner that cannot be passed
Reported by
jason_h...@trimble.com,
May 13 2018
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 Steps to reproduce the problem: 1. go to website via intranet that only requires client cert over Internet 2. later go home 3. browser refreshes webpage, now realises it requires a client cert, and it pops up a confirmation window for the user 4. I click the confirm (or cancel) button and nothing happens. At this point Chrome is entirely *broken*. I can no longer access other open tabs - nothing works. I have to kill Chrome to get passed this What is the expected behavior? it should listen to the client cert popup What went wrong? I suspect what happens is that it's a symptom of how VPN fiddles with DNS/addresses. I suspect it starts by connecting to dns.name via it's intranet 10.* address (with no cert), then when a VPN restart occurs, there's a small window where dns.name resolves to the Internet address and it detects a client cert is needed, so it does the popup. But then the VPN tunnel comes back up again and dns.name resolves to the non-client cert 10.* address again and as the popup is still on the screen, Chrome is now confused? A real guess - but it matches the situation Did this work before? Yes no idea Chrome version: 66.0.3359.170 Channel: stable OS Version: Ubuntu-18.04 Flash Version: the way our VPN can drop off/ come back up has been like that for years and only recently have I seen Chrome act this way - so I suspect it's a recent code change
,
May 14 2018
jason_haar@ Thanks for the issue. Request you to provide a URL where this issue can be reproduced which will help in further triaging of the issue. Thanks..
,
May 14 2018
,
May 14 2018
(Ignore comment #2. We are clearly not going to be able to reproduce this as it's an intranet thing.) If Chrome is unresponsive altogether, that suggests something especially odd is going on. Maybe some messed up PKCS#11 module, or maybe a bug in our UI code. Could you follow the instructions here, but use the PID of the browser process? (Given Chrome is unresponsive I imagine you'll need to use your system process manage to get the PID. Or you can look up the PID before reproducing.) https://www.chromium.org/for-testers/bug-reporting-guidelines/hanging-tabs Thanks!
,
May 21 2018
It's been a week before this problem occurred again. I cannot debug it for you - it's obviously a race condition that occurs under very specific circumstances and I have no idea how to replicate them ie the web app is a client-cert protected graylog server. That uses tonnes of javascript to give a realtime graphical dashboard of our logging infrastructure. So what I think happens is it is continually sending data refreshes to the browser, and then a network change occurs so that the DNS value for our graylog server suddenly flips from intranet (10.X) to Internet for a few moments due to a VPN tunnel change (which involves changing DNS server settings - which is how the DNS name changes from intranet to internet). During that small window, the browser starts refreshing via the Internet and the client cert validation occurs. But I am off asleep/somewhere else and so don't deal with that popup, and seconds/minutes later the VPN changes again and now the DNS name resolves to the non-client cert protected intranet IP. I am guessing at that point Chrome has become confused: it still has this client cert prompt open awaiting input for a decision-event that no longer exists? End result is I can be happily in a different tab within Chrome working just fine, but when I eventually click over to the graylog tab and see the client cert prompt, it's game over. At that point Chrome is locked and doesn't respond - I can't change to a working tab, etc. I can't even kill it through the Ubuntu/gnome window manager (ie the "x" button doesn't work) and instead I get a shell up and kill the process id instead. Jason
,
May 21 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 22 2018
As per comment #4, this issue is out of scope of triaging at TE end. Hence adding 'TE-NeedsTriageHelp' label and requesting someone from Internals>Network>SSL team to look into the issue and help in further triaging. Thanks..
,
May 22 2018
That sounds like there's an issue showing the prompt. If Chrome is completely locked, that suggests the UI thread is stuck, which puts it rather far from the TLS and certificate bits proper. I think we're really going to need the instructions here followed to be able to diagnose. https://www.chromium.org/for-testers/bug-reporting-guidelines/hanging-tabs
,
May 30 2018
[jason_haar]: Could you please response to comment #8? Since we don't have a repro, we'll need more information to make any progress here.
,
May 30 2018
I have got as far as getting the task manager component running, and so have been waiting for the bug to happen again. I have had at least 2 Chrome updates since reporting this bug, so maybe it's been fixed? I'll let you know if it triggers again for sure :-) Jason
,
May 30 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 30 2018
(Reverting sheriffbot's incorrect triage.)
,
Jul 9
I'm going to go ahead and archive out this issue, since there's been no problems since Comment #10. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by krajshree@chromium.org
, May 14 2018