Re: [chromium-dev] SSL certificate cached by Chrome and service worker

[Ryan Sleevi]

bcc: chromium-dev

+net-dev

Chrome does keep the certificate cached as part of its cache entries. If it goes to the network (for example, to reverify the cache), it will update how that entry is reported. However, if it does not have to go to the network to revalidate (perhaps due to Cache API, or perhaps due to Service Workers' refresh period), then you'll get the certificate associated with the network connection the resource was originally received on.

I may have missed some subtlety in your use case, please let me know if that explains it though.

On Wed, May 30, 2018 at 1:42 AM, <guillerm...@htmniseko.com> wrote:

I have a new SSL certificate for my sites, it loads correctly on Chrome for most of my sites except for the one that is using a Service Worker, it keeps loading the old SSL certificate. Does Google Chrome cache the SSL certificate alongside with the Service Worker? 

As long as I manually remove the service worker on my local using DevTools, then on the next refresh I got the new SSL certificate.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b9478b90-f9b7-4837-830c-169143aa2a17%40chromium.org.

[guillerm...@htmniseko.com]

So let's say the old certificate will expire tomorrow, then when someone loads the site, will Chrome try to get a new one and will make a request to the server?

[Ryan Sleevi]

Moving Chromium-dev back to BCC.

If someone loads your site and they've not contacted it before, they will see your new certificate.

If someone loads your site entirely from the disk cache, they will see your old certificate, as that was the certificate used for the cached resource, the same as they'd see the headers used from the disk cache.

If someone loads your site, and it has to make a network request to revalidate the resource as cached on disk, then they will see the new certificate.

[PhistucK]

So if the cached response indeed has an only-now-expired certificate, will Chrome show a certificate error (back to safety/proceed)?

☆PhistucK

You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CACvaWvZeLd4vhsLSTVTBFBogg2%3DQP_u4t5pDqEagOnUaSPewaw%40mail.gmail.com.

[Ryan Sleevi]

No. We don't re-verify certificates on disk - that would otherwise break offline.

On Wed, May 30, 2018 at 7:17 AM, PhistucK <phis...@gmail.com> wrote:

So if the cached response indeed has an only-now-expired certificate, will Chrome show a certificate error (back to safety/proceed)?

☆PhistucK

On Wed, May 30, 2018 at 11:35 AM Ryan Sleevi <rsl...@chromium.org> wrote:

Moving Chromium-dev back to BCC.

If someone loads your site and they've not contacted it before, they will see your new certificate.

If someone loads your site entirely from the disk cache, they will see your old certificate, as that was the certificate used for the cached resource, the same as they'd see the headers used from the disk cache.

If someone loads your site, and it has to make a network request to revalidate the resource as cached on disk, then they will see the new certificate.

On Wed, May 30, 2018 at 4:31 AM, <guillermo.pincay@htmniseko.com> wrote:

So let's say the old certificate will expire tomorrow, then when someone loads the site, will Chrome try to get a new one and will make a request to the server?

On Wednesday, 30 May 2018 17:20:53 UTC+9, Ryan Sleevi wrote:

bcc: chromium-dev

+net-dev

Chrome does keep the certificate cached as part of its cache entries. If it goes to the network (for example, to reverify the cache), it will update how that entry is reported. However, if it does not have to go to the network to revalidate (perhaps due to Cache API, or perhaps due to Service Workers' refresh period), then you'll get the certificate associated with the network connection the resource was originally received on.

I may have missed some subtlety in your use case, please let me know if that explains it though.

On Wed, May 30, 2018 at 1:42 AM, <guillerm...@htmniseko.com> wrote:

I have a new SSL certificate for my sites, it loads correctly on Chrome for most of my sites except for the one that is using a Service Worker, it keeps loading the old SSL certificate. Does Google Chrome cache the SSL certificate alongside with the Service Worker? 

As long as I manually remove the service worker on my local using DevTools, then on the next refresh I got the new SSL certificate.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b9478b90-f9b7-4837-830c-169143aa2a17%40chromium.org.

--

You received this message because you are subscribed to the Google Groups "net-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+unsubscribe@chromium.org.

[PhistucK]

Great. Thank you for clarifying!

☆PhistucK

On Wed, May 30, 2018 at 2:32 PM Ryan Sleevi <rsl...@chromium.org> wrote:

No. We don't re-verify certificates on disk - that would otherwise break offline.

On Wed, May 30, 2018 at 7:17 AM, PhistucK <phis...@gmail.com> wrote:

So if the cached response indeed has an only-now-expired certificate, will Chrome show a certificate error (back to safety/proceed)?

☆PhistucK

On Wed, May 30, 2018 at 11:35 AM Ryan Sleevi <rsl...@chromium.org> wrote:

Moving Chromium-dev back to BCC.

If someone loads your site and they've not contacted it before, they will see your new certificate.

If someone loads your site entirely from the disk cache, they will see your old certificate, as that was the certificate used for the cached resource, the same as they'd see the headers used from the disk cache.

If someone loads your site, and it has to make a network request to revalidate the resource as cached on disk, then they will see the new certificate.

On Wed, May 30, 2018 at 4:31 AM, <guillerm...@htmniseko.com> wrote:

So let's say the old certificate will expire tomorrow, then when someone loads the site, will Chrome try to get a new one and will make a request to the server?

On Wednesday, 30 May 2018 17:20:53 UTC+9, Ryan Sleevi wrote:

bcc: chromium-dev

+net-dev

Chrome does keep the certificate cached as part of its cache entries. If it goes to the network (for example, to reverify the cache), it will update how that entry is reported. However, if it does not have to go to the network to revalidate (perhaps due to Cache API, or perhaps due to Service Workers' refresh period), then you'll get the certificate associated with the network connection the resource was originally received on.

I may have missed some subtlety in your use case, please let me know if that explains it though.

On Wed, May 30, 2018 at 1:42 AM, <guillerm...@htmniseko.com> wrote:

I have a new SSL certificate for my sites, it loads correctly on Chrome for most of my sites except for the one that is using a Service Worker, it keeps loading the old SSL certificate. Does Google Chrome cache the SSL certificate alongside with the Service Worker? 

As long as I manually remove the service worker on my local using DevTools, then on the next refresh I got the new SSL certificate.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b9478b90-f9b7-4837-830c-169143aa2a17%40chromium.org.

--

You received this message because you are subscribed to the Google Groups "net-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.

[guillerm...@htmniseko.com]

Awesome! Thanks for the answer!