bitwiseworks / qtwebengine-chromium-os2

Port of Chromium and related tools to OS/2
9 stars 2 forks source link

Fix "Server certificate is not trusted" errors #19

Closed dmik closed 4 years ago

dmik commented 4 years ago

An attempt to visit a web page via HTTPS leads to certificate check failures, see https://github.com/bitwiseworks/qtwebengine-os2/issues/6#issuecomment-674418213:

The following console entries may be related:

[14830:6:0815/195636.986000:ERROR:cert_verify_proc_builtin.cc(463)] No net_fetcher for performing AIA chasing.
[14830:5:0815/195636.990000:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202
wztest commented 4 years ago

The first one should be for getting the cert information, maybe a path issue in the path_builder. Why in the screenshots the pages could load using https?

dmik commented 4 years ago

@wztest There is a dialog window on one of the screenshots that allows you to override the security check. Once done, the page is loaded fine via HTTPS. Fixing it should be easy, just needs some time to figure it all out.

dmik commented 4 years ago

Enabling verbose (--v=1) logging gives us some more detail:

[20402:4:0829/020742.657000:WARNING:ev_root_ca_metadata.cc(1055)] Not implemented
[20402:4:0829/020742.657000:WARNING:ev_root_ca_metadata.cc(1055)] Not implemented
[20402:4:0829/020742.670000:ERROR:cert_verify_proc_builtin.cc(463)] No net_fetcher for performing AIA chasing.
[20402:4:0829/020742.680000:VERBOSE1:path_builder.cc(146)] CertIssuersIter(CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=CA,C=US(CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US)) created
[20402:4:0829/020742.682000:VERBOSE1:path_builder.cc(467)] CertPathIter cur_path_ = CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=CA,C=US(CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US)
[20402:4:0829/020742.692000:VERBOSE1:path_builder.cc(185)] CertIssuersIter(CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=CA,C=US(CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US)): returning issuer 0 of 1
[20402:4:0829/020742.692000:VERBOSE1:path_builder.cc(146)] CertIssuersIter(CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US(CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE)) created
[20402:4:0829/020742.692000:VERBOSE1:path_builder.cc(467)] CertPathIter cur_path_ = CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=CA,C=US(CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US) <- CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US(CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE)
[20402:4:0829/020742.694000:VERBOSE1:path_builder.cc(195)] CertIssuersIter(CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US(CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE)) Reached the end of all available issuers.
[20402:4:0829/020742.694000:VERBOSE1:path_builder.cc(415)] CertPathIter backtracking...
[20402:4:0829/020742.699000:VERBOSE1:path_builder.cc(195)] CertIssuersIter(CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=CA,C=US(CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US)) Reached the end of all available issuers.
[20402:4:0829/020742.699000:VERBOSE1:path_builder.cc(415)] CertPathIter backtracking...
[20402:4:0829/020742.699000:VERBOSE1:path_builder.cc(399)] CertPathIter exhausted all paths...
[20402:5:0829/020742.797000:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202
[20402:5:0829/020742.797000:VERBOSE1:openssl_util.cc(48)] OpenSSL ERR_get_error stack from DoHandshake@../../../../../qt5/qtwebengine/src/3rdparty/chromium/net/socket/ssl_client_socket_impl.cc:932
[20402:5:0829/020742.799000:VERBOSE1:openssl_util.cc(31)]   539158920:error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:../../../../../qt5/qtwebengine/src/3rdparty/chromium/third_party/boringssl/src/ssl/handshake.cc:353:
[20402:5:0829/020742.891000:VERBOSE1:ssl_manager.cc(160)] OnSSLCertificateError() cert_error: -202 resource_type: 0 url: https://httpsiseasy.com/ cert_status: 4

Error -202 is CERT_AUTHORITY_INVALID. Somehow Google cannot check the authority of the certificate (Cloudflare). Perhaps, it doesn't integrate with the local trusted certificate database we have for the OpenSSL RPM or such.

wztest commented 4 years ago

I missed this dialog somehow and the google screenshot was only using http protocol. In case the linux code is used for the cert store handling then its the Mozilla Network Security Services (NSS), should be the same that we shipped with Firefox.

dmik commented 4 years ago

Yes, we surely use the Linux code path in Chromium for certificates and that uses NSS indeed. It was disabled in the config (due to is_linux checks being false). I enabled those parts of config on OS/2 as well and it triggered the full rebuild (10 565 build targets, around 15 hours). Will report once done if that solves the problem.

dmik commented 4 years ago

Aligned to OS/2 and built. NSS seems to kick in but not fully working so far:

[60972:4:0905/021808.002000:ERROR:nss_util.cc(748)] After loading Root Certs, loaded==false: No such file or directory
[60972:4:0905/021808.256000:ERROR:cert_verify_proc_nss.cc(979)] CERT_PKIXVerifyCert for httpsiseasy.com failed err=-8179
[60972:5:0905/021808.262000:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202
[60972:4:0905/021811.717000:ERROR:cert_verify_proc_nss.cc(979)] CERT_PKIXVerifyCert for fonts.googleapis.com failed err=-8179
[60972:5:0905/021811.756000:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202
[60972:4:0905/021812.404000:ERROR:cert_verify_proc_nss.cc(979)] CERT_PKIXVerifyCert for www.youtube.com failed err=-8179
[60972:5:0905/021812.408000:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202
[60972:5:0905/021812.412000:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202
[60972:5:0905/021812.766000:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202
[60972:5:0905/021816.617000:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202
[60972:4:0905/021818.164000:ERROR:cert_verify_proc_nss.cc(979)] CERT_PKIXVerifyCert for fonts.gstatic.com failed err=-8179
[60972:5:0905/021818.172000:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202
...
[60972:28:0905/021826.949000:ERROR:cert_verify_proc_nss.cc(979)] CERT_PKIXVerifyCert for googleads.g.doubleclick.net failed err=-8179
[60972:5:0905/021826.951000:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202
[60972:28:0905/021827.035000:ERROR:cert_verify_proc_nss.cc(979)] CERT_PKIXVerifyCert for static.doubleclick.net failed err=-8179
[60972:5:0905/021827.037000:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202

And so on. Still needs some work it seems.