[Bug]: Timeout if host is only reacheable via a proxy and client certificates settings is set #34873
Description
Version
1.50.1
Steps to reproduce
- Clone https://github.com/mmacvicar/playwright-issue-report
- make check-etc-hosts
- make run
Expected behavior
Playwright should be able to reach a domain thorugh the proxy, regardless of any client certificates configuration. Particularly if they are unrelated to that domain.
Actual behavior
If any client certificates configuration is used. Playwright will fail to open or wrongly infer the protocol for any domain which is only available through a proxy. There are at least 3 scenarios to consider:
- Playwright can resolve the domain but it is unroutable (i.e behind a VPN, another network, only possible through the proxy). In this case, it will timeout as it tries to do ALPN without using the proxy (ALPNCache at ). This one has the biggest impact as it just wont work, it is the common case of domains behind VPNs, they can be resolved but wont reply outside the VPN.
- Playwright cannot even resolve th edomain. In this case, ALPN will fail fast and wrongly assume the protocol as http 1.1.
- A server might require a client certificate to finish the handshake, this would also make ALPN fail fast and assume http 1.1. I did not look at all at this.
Additional context
The correct behavir would be for ALPNCache to use both the proxy agent and the already created secure context to establish the TLS connection. I think @mxschmitt has a lot of context as he has been adding client certificates and later proxy support (thanks a lot).
I can fix this if this solution makes sense.
Environment
System:
OS: Linux 6.13 Arch Linux
CPU: (14) x64 Intel(R) Core(TM) Ultra 7 165U
Memory: 47.72 GB / 62.25 GB
Container: Yes
Binaries:
Node: 22.9.0 - ~/.nvm/versions/node/v22.9.0/bin/node
npm: 10.8.3 - ~/.nvm/versions/node/v22.9.0/bin/npm
pnpm: 9.13.1 - ~/.nvm/versions/node/v22.9.0/bin/pnpm
bun: 1.1.38 - ~/.bun/bin/bun
Languages:
Bash: 5.2.37 - /usr/bin/bashMetadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
Participants
Activity
[-][Bug]: Timeout if host is only reacheable via a proxy and any client certificates is added to the context settings (even unrelated domains).[/-][+][Bug]: Timeout if host is only reacheable via a proxy and client certificates settings is set[/+]hvaz commentedon Feb 20, 2025
Very serious bug. Thanks for catching this. Finally understood why I have been running into some issues
banduk commentedon Feb 20, 2025
Nice. That fix would also help me!
mxschmitt commentedon Feb 20, 2025
Sounds reasonable - happy to review a patch for it!
AndreAffonso commentedon Feb 20, 2025
+1 here
mmacvicar commentedon Feb 25, 2025
Working on it
mmacvicar commentedon Feb 27, 2025
Here it is #34939
mxschmitt commentedon Aug 1, 2025
@mmacvicar @AndreAffonso @hvaz the issue should be fixed in our Canary releases:
npm i -D @playwright@next- could you try it there and report it back if its working or not?(Debug logs can be observed via
DEBUG=pw:client-certificatesenv var)Thanks!