NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED for old chromium build
244 views
Skip to first unread message
Adnan Ahmed
Jun 21, 2022, 6:58:59 PM6/21/22
to Chromium-dev
Hi all,
For reference, I downloaded the official version of the same chromium version (from https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Linux_x64/562090/) and I am not running into this certificate issues on the official version.
I am building an old version of chromium for my research. The chromium version I am working with is 69.0.3441.0. I reset to the corresponding commits after checking out the source code and build chromium.
However, when I try to navigate to say https://www.youtube.com, I receive the "NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED" error. Even if I "proceed to the website", the network tab on devtools show a lot of failed requests due to the same error.
I am able to navigate to the website just fine if I launch the browser with --ignore-certificate-errors, but I wanted to understand and fix what's happening here.
For reference, I downloaded the official version of the same chromium version (from https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Linux_x64/562090/) and I am not running into this certificate issues on the official version.
Can someone please help me with this? I would really appreciate any help
Chris Thompson
Jun 21, 2022, 7:33:28 PM6/21/22
to lumin...@gmail.com, Chromium-dev
My best guess is this is due to you building Chrome with all the official build flags set, and that combined with it being freshly built the Certificate Transparency checks are still enabled. Version 69 would not have the currently used Certificate Transparency logs configured in its source, so it won't be able to successfully check the CT status of the certificate. The official version you linked has an old build date, which will be past the "max build age" we apply for CT checks (for exactly this reason).
I'd suggest either not doing Chrome branded/official builds, or manually patching to disable the CT enforcement in the SystemNetworkContextManager (this section at a CL where this check still existed is here https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/net/system_network_context_manager.cc;l=97;drc=7193afc7d13642a6dd63ee6e0e986664089fd327).
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/ebfb0f5a-fa77-4670-883f-5d710ed82c86n%40chromium.org.
Adnan Ahmed
Jun 22, 2022, 12:32:37 PM6/22/22
to Chromium-dev, cth...@chromium.org, Chromium-dev, Adnan Ahmed
Hi!
Thanks for responding. I don't think I am doing an official build. The only argument I am modifying is "is_debug"; sometimes to true and false, depending on the situation. I checked the status of flags with "gn args <build-dir> --list" and it seems both is_official_build and is_chrome_branded are set to false.
Thanks for responding. I don't think I am doing an official build. The only argument I am modifying is "is_debug"; sometimes to true and false, depending on the situation. I checked the status of flags with "gn args <build-dir> --list" and it seems both is_official_build and is_chrome_branded are set to false.
About the second suggestion, I am trying to find the corresponding lines of code in the old version of the code base. It seems that the flag that I can manually patch to disable CT enforcement isn't there (or I cannot seem to find it at least).
I was able to look up the commit and here it is: https://source.chromium.org/chromium/chromium/src/+/5fe3482bc5ec97d3721171be765d9974b2a0e97f:chrome/
I would really appreciate it if you could point me to the place where I could disable the Certificate Transparency checks manually by hardcoding a false similar to the place in SystemNetworkContextManager
Thank you so much for the help.
best
Mark Mentovai
Jun 22, 2022, 1:04:00 PM6/22/22
to Adnan Ahmed, Chromium-dev, cth...@chromium.org
The lines that Chris pointed to that only enable certificate transparency (CT) on official Google-branded non-Android builds appeared in 3c9720245e44 (review), 2019-08-29, in version 78.0.3897.0, and in support of bug 973378. As you’re working with a much older version of the codebase (but why?), you won’t have that change, and it’s possible that you’ll have CT enabled.
You may still be able to use the referenced change as a guide to disabling CT, but it might not be in the same place that it was in the 2021-07-15 code snippet that Chris linked to, or in the 2019-08-29 change that limited CT’s application. You’re working with a code snapshot from 2018-05-26, over 6 years old. I doubt anyone here will have a strong memory of precisely which line you’d need to change in a specific version from that long ago. We consider such an old version obsolete, even dangerously so. You might be in for a bit of a hunt.
Mark
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/c3a8a522-9421-4042-9197-2e9d4c7a4867n%40chromium.org.
Adnan Ahmed
Jun 24, 2022, 5:21:58 PM6/24/22
to Chromium-dev, Mark Mentovai, Chromium-dev, cth...@chromium.org, Adnan Ahmed
Hi!
Thank you for the response and the insights.
Part of my research involves building AdGraph (https://github.com/uiowa-irl/AdGraph), which modifies chromium (in the patches folder) to log interactions between JavaScript, Network, and HTML elements. AdGraph is patching the old version of Chromium that I mentioned above and I have been following the instructions on the main page to build it but ran into the issues mentioned above.
Thank you for the response and the insights.
Part of my research involves building AdGraph (https://github.com/uiowa-irl/AdGraph), which modifies chromium (in the patches folder) to log interactions between JavaScript, Network, and HTML elements. AdGraph is patching the old version of Chromium that I mentioned above and I have been following the instructions on the main page to build it but ran into the issues mentioned above.
- git reset --hard c916c273b71b (for src directory) after which the patch.diff is applied
- git reset --hard 44d7d7d6b1 (for v8 directory) after which the v8_patch.diff is applied
I understand that I could probably do some more work to implement similar logic on the later versions of Chromium to dump the same information, but I am not sure how much work that would be and whether it's a worthwhile investment of time.
Since, all of this is primarily for my research and not for any distribution or common use, I am not that concerned with the security aspects (should I be?).
All I need is to load web pages in the AdGraph-enabled (with my own additional instrumentations) Chromium and dump the information for my own research.
Thorium Browser
Jan 13, 2023, 4:30:20 PM1/13/23
to Chromium-dev, lumin...@gmail.com, Mark Mentovai, Chromium-dev, cth...@chromium.org
I found out how to do this. I was building M69 too and came across this error.
One simply needs to modify this line > https://source.chromium.org/chromium/chromium/src/+/refs/tags/69.0.3497.100:chrome/browser/net/default_network_context_params.cc;drc=b63ff0d946a5ad8fb4bda550936d6b3bd4f1c399;l=87
and set enforce_chrome_ct_policy = true; to false i.e. enforce_chrome_ct_policy = false;
Reply all
Reply to author
Forward
0 new messages