Is there a way to bypass WebKits SSL check?

[jsoques]

I have React app and test against a rest api that is on HTTPS with a self signed certificate just for testing. In chrome I just put the server's url insecure content setting to 'allow' so that chrome permits me to do request. In Photino I get the following form WebKit's console: Failed to load resource: Unacceptable TLS certificate. Is there a way around this?

[philippjbauer]

Hi @jsoques, thank you for submitting this issue.

To be able to help you better can you tell us on which platform you experience this issue?

We are looking into how to add a method to allow insecure certificates. This is seem to be a non-trivial issue looking at our preliminary search into the topic.

[jsoques]

Hello @philippjbauer , yes I am running the photino client on a Linux desktop and doing an http request to a .net core web api running on Windows 10 on the local network. I can imagine it is non-trivial. Thanks.

[iongion]

Any action in this area, anything I can do to help ?
I am using https://github.com/FiloSottile/mkcert to generate valid certificates for local development, I am on Linux and it shows the same message.

If of any help, I forked SharpWebiew and this is what I came-up for Linux to disable it (it does not work for windows)

        public void DisableTLSErrors()
        {
#if Windows

#else
            const int WEBKIT_TLS_ERRORS_POLICY_IGNORE = 0;
            IntPtr web_context = Bindings.webkit_web_context_get_default();
            IntPtr data_manager = Bindings.webkit_web_context_get_website_data_manager(web_context);
            Bindings.webkit_website_data_manager_set_tls_errors_policy(data_manager, WEBKIT_TLS_ERRORS_POLICY_IGNORE);
#endif
        }

with extra bindings

        [DllImport(DllFile, CallingConvention = CallingConvention.Cdecl)]
        internal extern static IntPtr webkit_web_context_get_default();
        // web_context := C.webkit_web_context_get_default()

        [DllImport(DllFile, CallingConvention = CallingConvention.Cdecl)]
        internal extern static IntPtr webkit_web_context_get_website_data_manager(IntPtr web_context);
        // data_manager := C.webkit_web_context_get_website_data_manager(web_context)

        [DllImport(DllFile, CallingConvention = CallingConvention.Cdecl)]
        internal extern static void webkit_website_data_manager_set_tls_errors_policy(IntPtr data_manager, int flag);
        // C.webkit_website_data_manager_set_tls_errors_policy(data_manager, C.WEBKIT_TLS_ERRORS_POLICY_IGNORE)

while in the browser it is accepted as valid without issue

[jammerxd]

I'm still having this issue as well.

[philippjbauer]

@jammerxd You can set flags and options for the browser control. See this answer here on how to do it. #148 (comment)

You should be able to set --disable-web-security for Windows (from: https://stackoverflow.com/a/67892890)

[jammerxd]

This doesn't work on linux. I get a json parsing error when setting window.SetBrowserControlInitParameters("--ignore-certificate-errors --disable-web-security");

It works for windows, but I need this on linux and osx as well. Testing with Ubuntu 22.04.

I've also tried setting
SetWebSecurityEnabled(false) and SetWebSecurityEnabled(true) to no avail.

I still get "unacceptable TLS certificate"

[philippjbauer]

The example shows how to initialize the variable for each system. Each OS needs different ways of setting the options, and the names of the options vary as well.

[jammerxd]

I'm looking at the sample for the TestBench and don't see where it shows on linux how to disable the TLS/SSL security checks.

[philippjbauer]

I'm referring to the example in the answer I linked: #148 (comment)

[jammerxd]

I'm trying that setting, and it isn't working at all.

if(RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
{
    window.SetBrowserControlInitParameters(JsonSerializer.Serialize(new
    {
        set_disable_web_security=true
    }));
}

[jammerxd]

Additionally, in the 2.5 settings (https://webkitgtk.org/reference/webkit2gtk/2.5.1/WebKitSettings.html), there's no mention of the web security flag.

[jammerxd]

If I try to use the webkit_website_data_manager_set_tls_errors_policy function (https://webkitgtk.org/reference/webkit2gtk/stable/enum.TLSErrorsPolicy.html) I get the following error:

[philippjbauer]

The web security flag is from here (https://webkitgtk.org/reference/webkit2gtk/stable/property.Settings.disable-web-security.html). The alert informs you that you entered an unsupported option. Maybe try set_tls_errors_policy? I'm not sure if that exists. The different OSs vary widely in what browser controls support to set via these options. If you can't find an option that works, please send us what you're trying to achieve with some sample code so that we can find a more robust solution.

[jammerxd]

set_tls_errors_policy isn't a valid setting. @iongion was onto the right solution.

I'm doing something similar - I have a self-issued ssl certificate I'm using for the website I'm trying to display in the window but as seen above, no matter what I set disable-web-security to (true or false) - the TLS/SSL certificate checks are not disabled.

In the webkit documentation, they don't mention TLS/SSL certificate checks being disabled as part of the disable_web_security flag.

The webkit documentation only mentions TLS/SSL verification being disabled by calling webkit_website_data_manager_set_tls_errors_policy with a value of 0 (ignore all warnings and errors).

My sample code is this:

var window = new PhotinoWindow().SetTitle("Testing Self Signed certs").Center().SetResizable(true).SetSize(1920,1080).Load("https://localhost")

Running at https://localhost I have a sample vuejs app with a self-signed SSL certificate. The warnings are bypassed in windows thanks to the --ignore-certificate-errors flag in chromium.

The docs for the webkit_website_data_manager_set_tls_errors_policy is here: https://webkitgtk.org/reference/webkit2gtk/stable/method.WebsiteDataManager.set_tls_errors_policy.html

[jammerxd]

For now, I ended up making a static class and calling into the .so library directly and that seems to have resolved it:

    public class WebKitHelper
    {
#if Linux

        [DllImport("libwebkit2gtk-4.1", CallingConvention = CallingConvention.Cdecl)]
        internal extern static IntPtr webkit_web_context_get_default();
        // web_context := C.webkit_web_context_get_default()

        [DllImport("libwebkit2gtk-4.1", CallingConvention = CallingConvention.Cdecl)]
        internal extern static IntPtr webkit_web_context_get_website_data_manager(IntPtr web_context);
        // data_manager := C.webkit_web_context_get_website_data_manager(web_context)

        [DllImport("libwebkit2gtk-4.1", CallingConvention = CallingConvention.Cdecl)]
        internal extern static void webkit_website_data_manager_set_tls_errors_policy(IntPtr data_manager, int flag);
        // C.webkit_website_data_manager_set_tls_errors_policy(data_manager, C.WEBKIT_TLS_ERRORS_POLICY_IGNORE)
#endif
        public static void DisableTLSErrors()
        {
#if Linux
            const int WEBKIT_TLS_ERRORS_POLICY_IGNORE = 0;
            IntPtr web_context = webkit_web_context_get_default();
            IntPtr data_manager = webkit_web_context_get_website_data_manager(web_context);
            webkit_website_data_manager_set_tls_errors_policy(data_manager, WEBKIT_TLS_ERRORS_POLICY_IGNORE);
#endif
        }
    }

[philippjbauer]

Is there a specific reason why you nned to be in an SSL context in your local environment?

This might be worth adding to the official API where it sets the browser control option for Windows, the policy from your example for Linux and however this might work in macOS. Something like PhotinoWindow.SetTlsCheck(true|false).

[jammerxd]

Yes - this call is the only way to disable SSL certificate checks in linux. I cannot issue a valid certificate for localhost. Nor does my scenario allow me to issue a valid SSL certificate (ip addresses cannot be used to get trusted SSL certs)

Additionally on OSX, looks like the only way to disable SSL certificate verification is to use a plist under NSAppTransportationSecurity....though I'm unsure how to apply this...
https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33

This link may also be helpful:
https://www.browserstack.com/blog/building-secure-native-apps-with-self-signed-ssl-certificates-using-certificate-pinning/

Also this one:
https://bugs.webkit.org/show_bug.cgi?id=140197

I don't typically do development on a mac.

[jammerxd]

I managed to find a fix that works cross-platform and implemented the appropriate flag on all platforms in the native library. Once that's ready, it can be added here.

[MikeYeager]

@jammerxd Glad to hear that. We're looking forward to seeing it!