Community
Participate
Working Groups
Installed Oxygen.2 for Java developers on stock Fedora 27. I can't connect from the internal web browser window to a site that has a self signed certificate. The browser displays 'Unacceptable TLS certificate' Am I missing some kind of settings ?
Would you please point to a site that fails for you?
Not easily as it has been reported from a customer internal OpenShift cluster. I reproduced it using Minishift and/or CDK and trying to connect from the internal web browser to https://${minishift ip}:8443
OK. I have reproduced it with https://self-signed.badssl.com/ . Leo, what do you think about having a way to ask the user whether he wants to trust the certificate? I don't feel comfortable even trying to blindly approve all self-signed certificates.
+1 on getting user approval otherwise would be a blocker from a security POV
I implemented proof of concept: https://git.eclipse.org/r/#/c/117884/ One can overcome the TLS if one downloads the certificate and tells Webkit to allow certificates from a given host. To implement this, we'd need: 1) Implement mechanism that detects that a page has a self-signed certificate 2) Implement prompt that tells user about issue and asks him if he wants to proceed anyway. 3) Download certificate. Tell Webkit to accept certificate from given host. (note, 'http:// part is omitted). As a note, this already works on Cocoa and is handled by the browser. But with Webkit we have to implement it manually.
Created attachment 272796 [details] pof screenshot
Technical notes: Examples that can be used for inspiration: https://github.com/WebKit/webkit/blob/master/Tools/MiniBrowser/gtk/BrowserTab.c#L151 https://github.com/vain/lariza/blob/master/browser.c#L1082 webkit/Tools/TestWebKitAPI/Tests/WebKitGLib/TestSSL.cpp
Created attachment 272798 [details] Screenshot of how it looks on OSX
Note to self: WebKitWebContext description snippet: TLS certificate validation failure is now treated as a transport error by default. To handle TLS failures differently, you can connect to “load-failed-with-tls-errors”. Alternatively, you can use webkit_web_context_set_tls_errors_policy() to set the policy WEBKIT_TLS_ERRORS_POLICY_IGNORE; however, this is not appropriate for Internet applications.
(In reply to Leo Ufimtsev from comment #9) > Note to self: > > WebKitWebContext description snippet: > TLS certificate validation failure is now treated as a transport error by > default. To handle TLS failures differently, you can connect to > “load-failed-with-tls-errors”. Alternatively, you can use > webkit_web_context_set_tls_errors_policy() to set the policy > WEBKIT_TLS_ERRORS_POLICY_IGNORE; however, this is not appropriate for > Internet applications. So a handler for load-failed-with-tls-errors is needed and some popup to ask whether to continue ignoring the tls error should be implemented.
(In reply to Alexander Kurtakov from comment #10) > (In reply to Leo Ufimtsev from comment #9) > > Note to self: > > > > WebKitWebContext description snippet: > > TLS certificate validation failure is now treated as a transport error by > > default. To handle TLS failures differently, you can connect to > > “load-failed-with-tls-errors”. Alternatively, you can use > > webkit_web_context_set_tls_errors_policy() to set the policy > > WEBKIT_TLS_ERRORS_POLICY_IGNORE; however, this is not appropriate for > > Internet applications. > > So a handler for load-failed-with-tls-errors is needed and some popup to ask > whether to continue ignoring the tls error should be implemented. Yea basically. But also download the certificate to some temp cache and load it as done in proof of concept patch.
(In reply to Leo Ufimtsev from comment #5) > As a note, this already works on Cocoa and is handled by the browser. But > with Webkit we have to implement it manually. Hi Leo, Not sure how useful it is for gtk, the Webkit port for windows has an SWT implementation for the Invalid Certificate Dialog. Please see: http://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/bundles/org.eclipse.swt/Eclipse%20SWT%20WebKit/win32/org/eclipse/swt/browser/WebFrameLoadDelegate.java
It would be nice to have this enhancement on gtk side, but at the moment gtk3 blockers/ui issues seem to have a higher priority. Once those are resolved we could potentially look into this more special-purpose use case.
This bug is very serious for linux users that try to connect our Eclipse based tooling for OpenShift to a cluster that's using self-signed certificates. We'd thus highly appreciate if this could be fixed in a timely manner. Alexander Kurtakov, is there any ETA?
(In reply to Andre Dietisheim from comment #14) > This bug is very serious for linux users that try to connect our Eclipse > based tooling for OpenShift to a cluster that's using self-signed > certificates. We'd thus highly appreciate if this could be fixed in a timely > manner. > Alexander Kurtakov, is there any ETA? No ETA, right now. Will look into it and try to give some soon.
(In reply to Lakshmi Shanmugam from comment #12) > (In reply to Leo Ufimtsev from comment #5) > > As a note, this already works on Cocoa and is handled by the browser. But > > with Webkit we have to implement it manually. > > Hi Leo, > Not sure how useful it is for gtk, the Webkit port for windows has an SWT > implementation for the Invalid Certificate Dialog. > Please see: > http://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/bundles/org. > eclipse.swt/Eclipse%20SWT%20WebKit/win32/org/eclipse/swt/browser/ > WebFrameLoadDelegate.java Lakshmi, I looked at the windows port and I failed to find it storing the certificate somewhere and whitelisting it for later usage so it is per http session?
(In reply to Alexander Kurtakov from comment #16) > (In reply to Lakshmi Shanmugam from comment #12) > > (In reply to Leo Ufimtsev from comment #5) > > > As a note, this already works on Cocoa and is handled by the browser. But > > > with Webkit we have to implement it manually. > > > > Hi Leo, > > Not sure how useful it is for gtk, the Webkit port for windows has an SWT > > implementation for the Invalid Certificate Dialog. > > Please see: > > http://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/bundles/org. > > eclipse.swt/Eclipse%20SWT%20WebKit/win32/org/eclipse/swt/browser/ > > WebFrameLoadDelegate.java > > Lakshmi, I looked at the windows port and I failed to find it storing the > certificate somewhere and whitelisting it for later usage so it is per http > session? As a side note, my initial P.O.C wasn't based on Windows implementation. It's just the first thing that crossed my mind. I never looked at windows implementation when I did the P.O.C.
I'll investigate.
(In reply to Alexander Kurtakov from comment #16) > (In reply to Lakshmi Shanmugam from comment #12) > > (In reply to Leo Ufimtsev from comment #5) > > > As a note, this already works on Cocoa and is handled by the browser. But > > > with Webkit we have to implement it manually. > > > > Hi Leo, > > Not sure how useful it is for gtk, the Webkit port for windows has an SWT > > implementation for the Invalid Certificate Dialog. > > Please see: > > http://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/bundles/org. > > eclipse.swt/Eclipse%20SWT%20WebKit/win32/org/eclipse/swt/browser/ > > WebFrameLoadDelegate.java > > Lakshmi, I looked at the windows port and I failed to find it storing the > certificate somewhere and whitelisting it for later usage so it is per http > session? Hi Alex, The Windows implementation doesn't store the certificate anywhere. IIRC, we didn't find a way/API to invoke the native certificate dialog or write to the certificate store. So, SWT creates it's own dialog similar to the one on Cocoa (https://bugs.eclipse.org/bugs/attachment.cgi?id=272798). All the actions such as showing the certificate, continue, cancel are implemented by SWT. The Cocoa Webkit implementation is different, when there is a certificate error, SWT invokes the dialog provided by Cocoa and it takes care of all the actions. http://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/bundles/org.eclipse.swt/Eclipse%20SWT%20WebKit/cocoa/org/eclipse/swt/browser/WebKit.java#n702
We don't need to store the certificate on Linux either, there is a way to get the certificate via callback and set the policy to ignore TLS warnings on it -- all using Webkit API, no storage needed.
New Gerrit change created: https://git.eclipse.org/r/125636
(In reply to Eclipse Genie from comment #21) > New Gerrit change created: https://git.eclipse.org/r/125636 This patch adds a system property (-Dorg.eclipse.swt.internal.webkitgtk.ignoretlserrors=true ) to allow setting webkitgtk to ignore tls/ssl issues (like webkit1 did). Should be useful for developers as they would not have to go through the same accept error/warning when working with self signed certificates. Lakshmi, I think it would be nice if there was smth like -Dorg.eclipse.swt.webkit.ignoretlserrors that applies for all OSes but it depends on whether there is interest from mac/win side.
Gerrit change https://git.eclipse.org/r/125636 was merged to [master]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/?id=dca8ee994b2a4a77c38d398512ee5e53a9c77a6b
(In reply to Eclipse Genie from comment #23) > Gerrit change https://git.eclipse.org/r/125636 was merged to [master]. > Commit: > http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/ > ?id=dca8ee994b2a4a77c38d398512ee5e53a9c77a6b Patch with the flag for ignoring all TLS errors is in master now. I am working on adding a dialog box that will allow for user input on a case by case basis.
Gerrit change https://git.eclipse.org/r/125666 was merged to [master]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/?id=a8f4d8012ebe238243cfee7b3a063bd66a2b6f00
(In reply to Eclipse Genie from comment #25) > Gerrit change https://git.eclipse.org/r/125666 was merged to [master]. > Commit: > http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/ > ?id=a8f4d8012ebe238243cfee7b3a063bd66a2b6f00 Patch adding a dialog box to prompt the user is in master now. Jeff/Andre, please try with an I-build next week to confirm the issue is fixed for you.
(In reply to Eric Williams from comment #26) > (In reply to Eclipse Genie from comment #25) > > Gerrit change https://git.eclipse.org/r/125666 was merged to [master]. > > Commit: > > http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/ > > ?id=a8f4d8012ebe238243cfee7b3a063bd66a2b6f00 > > Patch adding a dialog box to prompt the user is in master now. Jeff/Andre, > please try with an I-build next week to confirm the issue is fixed for you. Congrats on your first Webkit contribution.
Testing with https://badssl.com/ (expired, wrong host ...) always says it's self-signed in the dialog. Either the dialog should be changed to more generic message "invalid SSL" or if possible the exact problem should be shown.
(In reply to Eric Williams from comment #26) > (In reply to Eclipse Genie from comment #25) > > Gerrit change https://git.eclipse.org/r/125666 was merged to [master]. > > Commit: > > http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/ > > ?id=a8f4d8012ebe238243cfee7b3a063bd66a2b6f00 > Hi Eric, We shouldn't hard code the text in English in the MessageBox, it should be able to use the localized text if it's available. You can use the Compatibility.getMessage() method and any existing keys from SWTMessages.properties. You can add a new key with new text, the localized text will be shown when it's translated and available in the SWTMessages_<locale>.properties file.
I'll re-work the patch.
New Gerrit change created: https://git.eclipse.org/r/125838
Gerrit change https://git.eclipse.org/r/125838 was merged to [master]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/?id=77730876131db1dee338b59ab954b3eb11345e9a
(In reply to Eclipse Genie from comment #32) > Gerrit change https://git.eclipse.org/r/125838 was merged to [master]. > Commit: > http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/ > ?id=77730876131db1dee338b59ab954b3eb11345e9a The patch using SWT.getMessage() and more detailed error messages has been merged. I'll add the German translations of the new keys sometime this week on babel.
New Gerrit change created: https://git.eclipse.org/r/c/platform/eclipse.platform.swt/+/187112
New Gerrit change created: https://git.eclipse.org/r/c/platform/eclipse.platform.swt/+/187113
New Gerrit change created: https://git.eclipse.org/r/c/platform/eclipse.platform.swt/+/187114
Gerrit change https://git.eclipse.org/r/c/platform/eclipse.platform.swt/+/187112 was merged to [R4_8_maintenance]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/?id=e7fc835f98668095b2764321f5b0b32fbb4682ba
Gerrit change https://git.eclipse.org/r/c/platform/eclipse.platform.swt/+/187113 was merged to [R4_8_maintenance]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/?id=cf64e731fad77d795f6f5c43e914f4a20aa10ad7
Gerrit change https://git.eclipse.org/r/c/platform/eclipse.platform.swt/+/187114 was merged to [R4_8_maintenance]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/?id=6c6a002d7f97b2a884b427b9df87f0ff68f7306a
New Gerrit change created: https://git.eclipse.org/r/c/platform/eclipse.platform.swt/+/187178
Gerrit change https://git.eclipse.org/r/c/platform/eclipse.platform.swt/+/187178 was merged to [R4_8_maintenance]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/?id=558fac11f67c80d0f823310223883155adb495f7
