Closed
Bug 964466
Opened 10 years ago
Closed 2 years ago
Add --ignore-certificate-errors command-line option to ignore certificate errors
Categories
(Core :: Security: PSM, defect, P5)
Core
Security: PSM
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: briansmith, Unassigned)
References
Details
(Whiteboard: [psm-backlog])
Such a flag is useful for Selenium Webdriver and for WebpageTest.org. These two projects already use this flag when running Chrome when they are configured to ignore certificate errors. See http://peter.sh/experiments/chromium-command-line-switches/#ignore-certificate-errors for a description of the Chrome flag. The implementation is simple: After calling CertVerifier->VerifyCert, check the result. If the result is SECFailure then, if this flag was passed on the command line, act like the result is SECSuccess. Importantly, we should NOT skip the call to CertVerifier->VerifyCert, and we should NOT skip any of the other logic in SSLServerCertVerification, *except* for the cert error override processing. We *must* bypass the cert error override mechanism because otherwise WebpageTest and Selenium will be measuring a very slow code path. (The cert error override code path is very slow.) The hard part is figuring out how to add command-line options to Firefox. Once this work is done, we can remove the requirement that nsICertOverrideService be used only on the main thread since Selenium won't need it. This will simplify SSLServerCertVerification substantially by removing a bunch of threading code.
|
||
Comment 1•10 years ago
|
||
In general Firefox command-line handling is at http://mxr.mozilla.org/mozilla-central/source/browser/components/nsBrowserContentHandler.js#336 You can add a new flag there which calls into the security manager to disable cert checking. I'm a little worried about this in case malware changes Firefox shortcuts to pass it by default, though: can we at least make sure that the state of this flag is recorded in FHR, and consider showing a user warning in the larry dialog when this mode is enabled?
If this is a useful feature for web developers, then we should figure out how to support it in a way that's consistent with keeping users safe.
Whiteboard: [psm-backlog]
|
||
Comment 3•7 years ago
|
||
This is something my team needs, as well. For automated JS testing, we use WebDriver & Karma (https://karma-runner.github.io/1.0/). To test certain features (such as EME), we must use https URLs in Karma, but to do so, we need browsers to ignore errors for Karma's self-signed certificate. Is anyone working on this feature at the moment?
|
||
Comment 4•7 years ago
|
||
Same here. We are using casperjs with slimerjs engine and we badly need this to make our tests with self signed certificate on local and live dev envs. Is there any progress on that ?
Priority: -- → P5
|
||
Comment 5•6 years ago
|
||
Selenium/WebDriver now allows you to ignore certificate errors by passing the acceptInsecureCerts capability. See https://developer.mozilla.org/en-US/docs/Web/WebDriver/Capabilities/acceptInsecureCerts
|
|
||
Comment 6•6 years ago
|
||
This is currently marked P5. Can we perhaps boost the priority? It would be helpful to many in testing scenarios, and it's been open for 5 years.
|
||
Comment 7•6 years ago
|
||
WebPageTest now also passes acceptInsecureCerts (as of ~5 minutes ago) so it no longer needs a command-line option.
(In reply to Patrick Meenan from comment #7)
WebPageTest now also passes acceptInsecureCerts (as of ~5 minutes ago) so it
no longer needs a command-line option.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
|
||
Comment 11•2 years ago
|
||
How does the fact that one site or some testing mode can accept insecure certs help users who want to user the browser to go to locations that use self-signed certs without throwing up an error?
You need to log in
before you can comment on or make changes to this bug.
Description
•