Skip to content

[Bug]: Timeout if host is only reacheable via a proxy and client certificates settings is set #34873

New issue
New issue
Open
#36553
#35990
Open
[Bug]: Timeout if host is only reacheable via a proxy and client certificates settings is set#34873
#36553
#35990
Assignees
mxschmitt
Labels
open-to-a-pull-requestThe feature request looks good, we are open to reviewing a PR
@mmacvicar

Description

@mmacvicar
mmacvicar
opened on Feb 20, 2025 · edited by mmacvicar

Version

1.50.1

Steps to reproduce

  1. Clone https://github.com/mmacvicar/playwright-issue-report
  2. make check-etc-hosts
  3. make run

Expected behavior

Playwright should be able to reach a domain thorugh the proxy, regardless of any client certificates configuration. Particularly if they are unrelated to that domain.

Actual behavior

If any client certificates configuration is used. Playwright will fail to open or wrongly infer the protocol for any domain which is only available through a proxy. There are at least 3 scenarios to consider:

  • Playwright can resolve the domain but it is unroutable (i.e behind a VPN, another network, only possible through the proxy). In this case, it will timeout as it tries to do ALPN without using the proxy (ALPNCache at

    playwright/packages/playwright-core/src/server/socksClientCertificatesInterceptor.ts

    Line 42 in bb8e914

    class ALPNCache {
    ). This one has the biggest impact as it just wont work, it is the common case of domains behind VPNs, they can be resolved but wont reply outside the VPN.
  • Playwright cannot even resolve th edomain. In this case, ALPN will fail fast and wrongly assume the protocol as http 1.1.
  • A server might require a client certificate to finish the handshake, this would also make ALPN fail fast and assume http 1.1. I did not look at all at this.

Additional context

The correct behavir would be for ALPNCache to use both the proxy agent and the already created secure context to establish the TLS connection. I think @mxschmitt has a lot of context as he has been adding client certificates and later proxy support (thanks a lot).

I can fix this if this solution makes sense.

Environment

System:
    OS: Linux 6.13 Arch Linux
    CPU: (14) x64 Intel(R) Core(TM) Ultra 7 165U
    Memory: 47.72 GB / 62.25 GB
    Container: Yes
  Binaries:
    Node: 22.9.0 - ~/.nvm/versions/node/v22.9.0/bin/node
    npm: 10.8.3 - ~/.nvm/versions/node/v22.9.0/bin/npm
    pnpm: 9.13.1 - ~/.nvm/versions/node/v22.9.0/bin/pnpm
    bun: 1.1.38 - ~/.bun/bin/bun
  Languages:
    Bash: 5.2.37 - /usr/bin/bash

Activity

mmacvicar
changed the title [-][Bug]: Timeout if host is only reacheable via a proxy and any client certificates is added to the context settings (even unrelated domains).[/-] [+][Bug]: Timeout if host is only reacheable via a proxy and client certificates settings is set[/+] on Feb 20, 2025
hvaz

hvaz commented on Feb 20, 2025

@hvaz
hvaz
on Feb 20, 2025

Very serious bug. Thanks for catching this. Finally understood why I have been running into some issues

Skn0tt
assigned
mxschmitt
on Feb 20, 2025
mxschmitt
added
v1.51
on Feb 20, 2025
banduk

banduk commented on Feb 20, 2025

@banduk
banduk
on Feb 20, 2025

Nice. That fix would also help me!

mxschmitt

mxschmitt commented on Feb 20, 2025

@mxschmitt
mxschmitt
on Feb 20, 2025
Member

Sounds reasonable - happy to review a patch for it!

AndreAffonso

AndreAffonso commented on Feb 20, 2025

@AndreAffonso
AndreAffonso
on Feb 20, 2025

+1 here

Skn0tt
added
open-to-a-pull-requestThe feature request looks good, we are open to reviewing a PR
and removed
v1.51
on Feb 24, 2025
mmacvicar

mmacvicar commented on Feb 25, 2025

@mmacvicar
mmacvicar
on Feb 25, 2025
Author

Working on it

mmacvicar
mentioned this on Feb 27, 2025
mmacvicar

mmacvicar commented on Feb 27, 2025

@mmacvicar
mmacvicar
on Feb 27, 2025
Author

Here it is #34939

Zemotacqy
linked a pull request that will close this issue on May 19, 2025
mxschmitt
linked a pull request that will close this issue on Jul 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

open-to-a-pull-requestThe feature request looks good, we are open to reviewing a PR

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    Participants

    @mmacvicar@banduk@hvaz@Skn0tt@AndreAffonso

    Issue actions
      [Bug]: Timeout if host is only reacheable via a proxy and client certificates settings is set · Issue #34873 · microsoft/playwright