Ignore SSL certificate errors when connecting to a end point on a self signed certificate

[avirauto]

We are trying to automate testing of a app which is deployed locally. When lightpanda is used as a CDP server, I am unable to connect to the app that is deployed locally with a self signed certificate. I get the below error

Url: https://localhost:6000/login

cdpserver % ./lightpanda-aarch64-macos --host 127.0.0.1 --port 9222
info(websocket): starting blocking worker to listen on 127.0.0.1:9222
info(server): accepting new conn...
info(server): client connected
error(server): do error: error.TlsInitializationFailed
info(server): accepting new conn...

Is there a way to ignore the certificate errors when running as a CDP server?

[krichprollsch]

Hello @avirauto, thanks for the issue.
I'm able to reproduce your issue with https://self-signed.badssl.com

We are using https://github.com/ianic/tls.zig for TLS connection.
I'm not sure if an option to disable cert verification exists.

I have to check in detail.

[krichprollsch]

$ zig build run -- https://self-signed.badssl.com/
debug(cli): Fetch mode: url https://self-signed.badssl.com/, dump false
debug(browser): start js env
debug(browser): setup global env
debug(polyfill): load polyfill-fetch: undefined
debug(browser): starting GET https://self-signed.badssl.com/
error(cli): 'https://self-signed.badssl.com/' fetching error (error.TlsInitializationFailed)s

usage: /home/pierre/wrk/browser/.zig-cache/o/1883af76469c1c213389d9df4972e355/lightpanda [options] [URL]

  start Lightpanda browser

  * if an url is provided the browser will fetch the page and exit
  * otherwhise the browser starts a CDP server

  -h, --help      Print this help message and exit.
  --verbose       Display all logs. By default only info, warn and err levels are displayed.
  --host          Host of the CDP server (default "127.0.0.1")
  --port          Port of the CDP server (default "9222")
  --timeout       Timeout for incoming connections of the CDP server (in seconds, default "3")
  --dump          Dump document in stdout (fetch mode only)
No memory leaks
error: Usage
/home/pierre/wrk/browser/vendor/tls.zig/src/handshake_common.zig:234:13: 0x1bd1d7e in parseCertificate (lightpanda)
            return error.CertificateIssuerNotFound;
            ^
/home/pierre/wrk/browser/vendor/tls.zig/src/handshake_client.zig:372:29: 0x1bd6151 in readServerFlight1 (lightpanda)
                            try h.cert.parseCertificate(&d, h.tls_version);
                            ^
/home/pierre/wrk/browser/vendor/tls.zig/src/handshake_client.zig:188:13: 0x1c380b4 in handshake (lightpanda)
            try h.readServerFlight1(); // server flight 1
            ^
/home/pierre/wrk/browser/vendor/tls.zig/src/main.zig:26:19: 0x1c39205 in client__anon_24698 (lightpanda)
    conn.cipher = try h.handshake(conn.stream, opt);
                  ^
/home/pierre/wrk/browser/src/http/Client.zig:1362:18: 0x1b7967c in connectTcp (lightpanda)
        }) catch return error.TlsInitializationFailed;
                 ^
/home/pierre/wrk/browser/src/http/Client.zig:1494:14: 0x1b202ba in connect (lightpanda)
    } orelse return client.connectTcp(host, port, protocol);
             ^
/home/pierre/wrk/browser/src/http/Client.zig:1642:9: 0x1ad9ea5 in open (lightpanda)
        try client.connect(valid_uri.host.?.raw, uriPort(valid_uri, protocol), protocol);
        ^
/home/pierre/wrk/browser/src/browser/loader.zig:62:22: 0x1ad90b1 in get (lightpanda)
        resp.req.* = try self.client.open(.GET, uri, .{
                     ^
/home/pierre/wrk/browser/src/browser/browser.zig:323:20: 0x1ae7896 in navigate (lightpanda)
        var resp = try self.session.loader.get(alloc, self.uri);
                   ^
/home/pierre/wrk/browser/src/main.zig:73:19: 0x1ac47a7 in printUsageExit (lightpanda)
    if (res == 1) return error.Usage;
                  ^
/home/pierre/wrk/browser/src/main.zig:339:21: 0x1af0f80 in main (lightpanda)
                    return printUsageExit(opts.execname, 1);
                    ^
run
+- run lightpanda failure
error: the following command exited with error code 1:
/home/pierre/wrk/browser/.zig-cache/o/1883af76469c1c213389d9df4972e355/lightpanda https://self-signed.badssl.com/ 
Build Summary: 2/4 steps succeeded; 1 failed (disable with --summary none)
run transitive failure
+- run lightpanda failure
error: the following build command failed with exit code 1:
/home/pierre/wrk/browser/.zig-cache/o/5dc6dd914e59dde2fe412bf4b82536b2/build /usr/local/zig-0.13.0/zig /home/pierre/wrk/browser /home/pierre/wrk/browser/.zig-cache /home/pierre/.cache/zig --seed 0x52031bc -Z635b739973da1549 run -- https://self-signed.badssl.com/

[steamboatid]

any update on this?

[krichprollsch]

Hello @steamboatid, no update regarding this issue for now.
@karlseguin Do you think there is a way to ignore TLS server certificate verification with tls.zig?

[karlseguin]

For host verification, it's already an option in the http client (we use it for testing, else the tests run too slow to fuzz if we include the host verification). Once #482 is merged, we can expose that setting as a command line argument.

[steamboatid]

For host verification, it's already an option in the http client (we use it for testing, else the tests run too slow to fuzz if we include the host verification). Once #482 is merged, we can expose that setting as a command line argument.

i believe this feature is essentials for other like me who develeop some web app at localhost with self signed cert.
many thanks in advance.

[krichprollsch]

Hello, thanks to #494 the option --insecure_disable_tls_host_verification is now available.
The nightly build will include the change tomorrow.

$ zig build run -- fetch --insecure_disable_tls_host_verification https://self-signed.badssl.com/
debug(cli): Fetch mode: url https://self-signed.badssl.com/, dump false
debug(browser): start js env
debug(browser): setup global env
debug(polyfill): load polyfill-fetch: undefined
debug(browser): inspector context created
debug: Inspector contextCreated called
debug(browser): starting GET https://self-signed.badssl.com/
info(browser): GET https://self-signed.badssl.com/ 200
debug(browser): header content-type: text/html
debug(browser): parse html with charset utf-8
debug(browser): inspector context created
debug: Inspector contextCreated called
debug(browser): wait: OK

[steamboatid]

I can confirm that using nighly builds, the new option is wordked.
tested in my localhost.
./lightpanda fetch --dump --insecure_disable_tls_host_verification https://laku.now

thank you.