SSL Error on https://thimble.webmaker.org/ - SNI Issue? #11239

Open
st3fan opened this Issue Apr 15, 2013 · 14 comments

Projects

None yet
@st3fan
st3fan commented Apr 15, 2013

Running with --debug=true I see the following:

2013-04-15T14:29:15 [DEBUG] Network - SSL Error: "The host name did not match any of the valid hosts for this certificate"
2013-04-15T14:29:15 [DEBUG] Network - Resource request error: 6 ( "SSL handshake failed" ) URL: "https://thimble.webmaker.org/"

I suspect that PhantomJS is not supporting Server Name Indication properly. If the SNI extension is not used for TLS servers that require it, a (fatal) hostname mismatch will happen.

Is it possible that my version of PhantomJS is linked against an OpenSSL version that does not implement it?

I am using phantomjs-1.9.0-linux-x86_64

See http://en.wikipedia.org/wiki/Server_Name_Indication for more info about SNI. This is getting more and more common. All modern browsers support it.

st3fan commented Apr 15, 2013

BTW This also could explain some of the 'hangs' that I have been experiencing. It seems that on SSL errors, the page.open() callback is never called. I'm running with --ignore-ssl-errors=true now and that seems to help a lot. Although that is far from ideal of course.

Is that a known bug or should I file?

Are you describing the same issue here were a callback is not called in some SSL cases?
#10174?source=cc

Is the experience any better for you with 1.9.2?

I'm also seeing this on 1.9.7. We use SNI and I had to use --ignore-ssl-errors=true in order to get it working.

Confirming issue still present on 1.9.7 when trying to connect to a site with SNI. Only when parameter --ignore-ssl-errors=true is present the connection succeeds and page.open() is called.

pwaller commented May 6, 2014

For me it fails even when I specify --ignore-ssl-errors=true, with Network - Resource request error: 6 ( "SSL handshake failed" ). Any idea how this could happen? I'm on 1.9.0.

pwaller commented May 6, 2014

Ah, I was able to get it to succeed by specifying --ssl-protocol=TLSv1, then --ignore-ssl-errors=true is unnecessary.

--ssl-protocol=TLSv1 fixed it for me too, also using SNI

@dmacvicar dmacvicar referenced this issue in teampoltergeist/poltergeist Jul 23, 2014
Closed

Problems with redirect to HTTPS #121

--ssl-protocol=TLSv1

works fine for me. thx.

@dontcallmedom dontcallmedom added a commit to dontcallmedom/mediacapture-main that referenced this issue Nov 4, 2014
@dontcallmedom dontcallmedom ignoring ssl errors
(specref is hosted on a ssl server that uses SNI, but phantomjs doesn't support SNI :( ariya/phantomjs#11239
e440b41

PhantomJS does not support SNI extension.
See #12440 (comment)

dbrgn commented Aug 5, 2015

Still no SNI support? I also ran into this.

camaleo commented Aug 17, 2015

same problem here, no way to use it on a site using CloudFlare and ssl

Is it fixed in 2.0?

Is there a fix for this now?
Using --ssl-protocol=TLSv1 is not an option, since TLSv1 is insecure and disabled at an infrastructure level.

This seems to be fixed in 2.x. IMHO this issue can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment