Client certificate not working

[kwindla]

Hi,

The docs list --ignore-certificate-errors as a supported chromium switch. I'm trying to set up a test/integration/development environment for my apps using self-signed certificates, but am not having any luck getting this switch to work. I'm using v0.21.3 on both Linux and OS X.

My code opens BrowserWindow content fine when pointed at servers with valid certs. But for GET requests to servers without valid certs, the DevTools always show that the network request never receives any bytes. I'm assuming this (silent) failure is a result of ssl validation failure inside chromium.

I've tried both:

var app = require ('app');
app.commandLine.appendSwitch ('ignore-certificate-errors');

var app = require ('app');
app.commandLine.appendSwitch ('ignore-certificate-errors', 'true');

Searching the github repo for the strings 'ignore-certificate-errors' and kIgnoreCertificateErrors doesn't produce any code results. I probably just don't understand how command line switches are wired up (I'll look more deeply), but I was wondering if this switch is, in fact, supported and whether the docs are up to date.

Thanks very much.

[deepak1556]

yup the flag is supported, it is implemented here https://github.com/brightray/brightray/blob/master/browser/url_request_context_getter.cc#L214 , the silent failure is probably due to not having this method https://code.google.com/p/chromium/codesearch#chromium/src/content/public/browser/content_browser_client.h&sq=package:chromium&l=391&type=cs , not quite sure. @zcbenz should this be implemented in brightray like how nw.js has it https://github.com/nwjs/nw.js/blob/c636f94c0e0cbdfd52fc89d095414585f6a16275/src/shell_content_browser_client.cc#L499 ?

EDIT: added link to ignorecertificate flag implementation in brightray, seems like i missed that the first time ;)

[zcbenz]

@zcbenz should this be implemented in brightray like how nw.js has it?

Yeah I think we should have it implemented in brightray.

[zcbenz]

@kwindla Can you provide a test case for this? We can not reproduce it.

[kwindla]

Test case is here: https://github.com/kwindla/test-ignore-cert-errors

You folks having difficulty reproducing this worried me, so I did a little more digging to narrow things down more.

The certificate that was not working for me is the certificate that ships with webpack-dev-server. That certificate has an empty Common Name field.

Certificates with something in the Common Name field -- such as the certificate that ships with gulp-webserver -- works fine.

The test case covers both kinds of certificates.

[deepak1556]

Thanks for the test case, the problem was webpack-dev-server creates https server with requestCert: true option https://github.com/webpack/webpack-dev-server/blob/a5a9e2ef40e133063b6f680ddbcbc4bc76186a35/lib/Server.js#L158 which expects a certificate from the client for successful connection. I removed that option and ran gulp tests and now all pass

[deepak1556]

@zcbenz maybe this could be tracked as support for client-certificate or a new ticket perhaps ?

[zcbenz]

We can keep this open to track client certificate support, I have edited the title.

[zcbenz]

It seems that no one cares about client certificate support, so I'm closing this.

[kwindla]

Just getting back to this, now. Thanks for figuring out the issue with webpack-dev-server. I don't particularly care about support for client certificates, just compatibility with webpack-dev-server. :-)

I'll submit a patch to webpack-dev-server to make the requestCert option configurable.

[thojansen]

hi @zcbenz .. actually we would be very interested in using client certificates 😄 as this is the way how single sign on is done for all our internal systems. There are a couple of open issues on nw.js and I have created a simple test case to set up a node server checking for client certificates and generate all the needed stuff around.
https://github.com/thojansen/client-certificates

Most browsers fetch client certificates from the system keystore and ask via a popup which one to use. There are also ways via group policies etc. to prevent this popup and automatically select the right certificate (e.g. depending on the issuer).

[zcbenz]

@thojansen Sounds reasonable to me 👍

[kjlaw89]

@zcbenz I have a work project that also makes heavy use of client certificates. It would be great if they could get implemented in Electron.

While having Electron pull from the system keystore would be one step, it would also be useful if we could manually pass in a certificate that we bundle with our application. That way it wouldn't be necessary for our clients to install a separate certificate to access our system but we could still lock down access to our server just to people who are using the application.

[kjlaw89]

Hey @zcbenz, I don't know if would help any but I think the CEF project just recently implemented client certificates: https://bitbucket.org/chromiumembedded/cef/issue/1608/add-support-for-client-certificate-ssl

[thojansen]

looks good 👍

[kjlaw89]

Hey guys, we'd really like to see this implemented, so we posted a $250 bounty for it on Bounty Source: https://www.bountysource.com/issues/9338919-client-certificate-not-working

We're hoping we can get a couple things out of this:

1. Ability to select client certificate from system store
2. We'd really like the ability to provide the client certificate from a local pem/p12 (with passphrase) (this would have to happen before it defaults to the system store)
3. @thojansen mentioned in the NW.js thread the ability to handle group policies for auto-selecting client certificates, it'd be great if this was implemented too

1 is a must for this, but we'd love to have 2 and 3!

Here's the NW.js thread for reference:
nwjs/nw.js#893