KeyPinning/SSLErrorHandler

[inkeliz]

Is your feature request related to a problem? Please describe.

As of today, it seems that it doesn't have any option to verifies the website certificate.

Uses cases:

• Prevent connections from untrusted source:

  • Sometimes you want to trust in a single Certificate Authority or at some certificate in particular, instead of trust in any authorities on the client's machine.

• Allow custom certificate (without need to trust them globally on Windows).

  • Some applications might talk with other local network devices, which usually have self-signed certificates.
  • Some developers, at the development process, could ignore certificate verifications, which might help to test.

Describe the solution you'd like and alternatives you've considered

I don't find anything related to that. The closest option is to trust the certificate at machine/user level, not at the application level. It doesn't fix all the issues, still not possible to key-pinning.

It must be some options to "handle ssl error", which allows the developer to choose what they do and allow them to render the page.

AB#30260332

[champnic]

Thanks for the feature request - I've added it as a scenario on our backlog.

[darkguy2008]

So this means ServerCertificateCustomValidationCallback = (req,cert,chain,errors) => true won't work to make my WinForms app using WebView2 bypass the error when connecting to https://localhost:4200 with a self-signed certificate in an Angular app?

[Iucapad]

That's exactly what I am looking for. I wish I could allow my self-signed certificate from a device that is not connected to the Internet (smart car powered by a Raspberry Pi, used on the local network). Definitely looking for that feature

[gingters]

I also would need this feature.
We are planning on a hybrid app (WebView2 in WinForms) that talks to a web service on the local network which does not have a valid TLS certificate, but a self-signed one. We don't want to have all machines that run the client application to trust the self-signed cert. With CefSharp we can provide the cert to a custom callback, validate it there and allow our own cert, but this doesn't seem to be exposed in WebView2 yet.
Is there any ETA on that idea? I guess, this is a pretty common scenario when working with a webview.

[champnic]

Thanks for the feedback! This work is not scheduled for this quarter, but high on our backlog, so next quarter would be the earliest we are able to deliver this functionality.

[Steinblock]

@gingters

I am too waiting for this feature.

As a workaround I currently disable all certificate errors (found this solution on stackoverflow

This is not as good as pinning my self signed certificate since it allows all certificates and is vulnerable to MITM attacks but since I control which urls can be accessed and the software is used in a controlled local network environment this is ok for me for now.

        private void Init()
        {
            this.webView.CoreWebView2InitializationCompleted += WebView_CoreWebView2InitializationCompleted;
        }

        private async void WebView_CoreWebView2InitializationCompleted(object sender, CoreWebView2InitializationCompletedEventArgs e)
        {
            var result = await webView.CoreWebView2.CallDevToolsProtocolMethodAsync("Security.setIgnoreCertificateErrors", "{\"ignore\": true}");
        }

[trametheka]

Hey @champnic , are there any updates on how this is progressing or an ETA? Thanks!

[monica-ch]

@trametheka We are working on the API design, and you can expect API review spec doc soon for the feedback. Experimental feature should be available by mid-March.

[monica-ch]

Hi all, we've completed our design for the Server Certificate API! Please review the pull request and add any feedback you have about this API. We appreciate your input and support!

[trametheka]

Hi @monica-ch ,

Spec looks like everything I need, look forward to the implementation!

[monica-ch]

Hi all! Server certificate API is in our pre-release package and is ready to be tried out in an experimental state. Try it out and let us know your feedback!

Win32 API: https://docs.microsoft.com/en-us/microsoft-edge/webview2/reference/win32/icorewebview2experimental15?view=webview2-1.0.1222-prerelease

.NET API: https://docs.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2.servercertificateerrordetected?view=webview2-dotnet-1.0.1222-prerelease

[trametheka]

@monica-ch Just wanted to touch base and say I've been using this in prerelease and is working as expected. Looking forward to it in Evergreen. Cheers!

[DexterWoo]

the ServerCertificateErrorDetected event will not fullfill the KeyPinning feature.
our Security policy requires us to validate the certificate even if it's trusted by the system.
is it possible to provide another event like ServerCertificateReceived?

[Daniellled]

the ServerCertificateErrorDetected event will not fullfill the KeyPinning feature. our Security policy requires us to validate the certificate even if it's trusted by the system. is it possible to provide another event like ServerCertificateReceived?

I agree the ServerCertificateErrorDetected is not KeyPinning. I would love to see this feature.

[monica-ch]

@DexterWoo Thanks for the request. Can you create a separate issue (Feature request) with us from here

[Daniellled]

When I read this request and I think what the user is looking for is something like RemoteCertificateValidationCallback where the developer can validate the certificates.

I worry about the following example.

Assume a WebView2 is used in WPF and it is set to render www.BankOfAmerica.com. Someone could purchase FakeBankOfAmerica.com and purchase a valid SSL.

If someone were to modify their DNS to not point to the real BankOfAmerica.com but to a FakeBankOfAmerica.com. The page would render just fine to the end user of the WPF app.

Users should be able to code their applications to pin to a specific certificate. In the above example the SSL belonging to BankOfAmerica.com

[inkeliz]

If someone were to modify their DNS to not point to the real BankOfAmerica.com but to a FakeBankOfAmerica.com. The page would render just fine to the end user of the WPF app.

I'm unsure if that is true. If you are entering to BankOfAmerica.com you must have an valid certificate for BankOfAmerica.com, which you don't have (not one from trusted CA). You can modify your own drivers\etc\hosts to redirect any domain to any arbitrary IP address, including localhost and provide any SSL certificate. If the domain doesn't match against BankOfAmerica.com it will be invalid.

---

The KeyPinning is not always possible, but sounds possible if you use "not trusted certificate" (from OS perspective). If you have custom CA, then it will always hit the SSL error, then you can use get_ServerCertificate, check the certificate and error and allow the connection based on your public-key. But, there's a BIG catch here. SSL errors can happen for multiple reasons, for instance: wrong signature, untrusted issuer, invalid expiration/creation dates, invalid hostname, unsupported algorithm (...). I'm not sure exactly what COREWEBVIEW2_WEB_ERROR_STATUS_CERTIFICATE_IS_INVALID is actually reporting.

[Daniellled]

If someone were to modify their DNS to not point to the real BankOfAmerica.com but to a FakeBankOfAmerica.com. The page would render just fine to the end user of the WPF app.

I'm unsure if that is true. If you are entering to BankOfAmerica.com you must have an valid certificate for BankOfAmerica.com, which you don't have (not one from trusted CA). You can modify your own drivers\etc\hosts to redirect any domain to any arbitrary IP address, including localhost and provide any SSL certificate. If the domain doesn't match against BankOfAmerica.com it will be invalid.

The KeyPinning is not always possible, but sounds possible if you use "not trusted certificate" (from OS perspective). If you have custom CA, then it will always hit the SSL error, then you can use get_ServerCertificate, check the certificate and error and allow the connection based on your public-key. But, there's a BIG catch here. SSL errors can happen for multiple reasons, for instance: wrong signature, untrusted issuer, invalid expiration/creation dates, invalid hostname, unsupported algorithm (...). I'm not sure exactly what COREWEBVIEW2_WEB_ERROR_STATUS_CERTIFICATE_IS_INVALID is actually reporting.

Assume they have a valid certificate. Also assume the fake domain isn't as bad as FakeBankOfAmerica.com.

The way this feature is implemented. The certificate would be valid since it is provided by a trusted CA. Thus no ServerCertificateErrorDetected event is raised.

[SvenPStarFinanz]

DexterWoo, we've managed custom server certificate checking with the ICoreWebView2DevToolsProtocolEventReceivedEventHandler interface and a "Security.visibleSecurityStateChanged" eventName in the GetDevToolsProtocolEventReceiver. In the callback you receive a JSON structure with the server certificates. It was not possible for us to block every request in the case of an unwanted certificate, but it's a beginning.

[prettydiff]

The way this feature is implemented. The certificate would be valid since it is provided by a trusted CA. Thus no ServerCertificateErrorDetected event is raised.

What about the scenario of a valid certificate (or certificate chain) that is untrusted because the self-signed root is not installed into the OS root store?

In this case the cert installation into the OS would require an administrative shell or sudo to install. The OS root certificate store is not needed for an application making use of a localhost server, as the cert is only needed to connect the webview to a local service instance. The webview would still display a certificate error in this case. And in this scenario the certificate may or may not be dynamically generated by the given application/session for increased security, but not so if the webview always displays a certificate error.

[champnic]

This work should now be available in SDKs 1.0.1245.22+. Thanks!