Understanding ERR_SSL_CLIENT_AUTH_CERT_NEEDED

[Xing Xu]

Hi,

I'm running an integration test for a Chrome feature using chromedriver. During the test chromedriver will contact a Google server. That request failed, error is ERR_SSL_CLIENT_AUTH_CERT_NEEDED in the netlog.

Is this that the server is complaining that chromedriver has not authenticated itself, or something else? I'm trying to see what's the fix, or even before that, the fix should be at the chromedriver side or that server?

More details:

In the netlog, after the SOCKET event, there is a CERT_VERIFIER_JOB event, I think it is the corresponding SSL error of ERR_SSL_CLIENT_AUTH_CERT_NEEDED, this CERT_VERIFIDER_JOB says:

--> cert_status = 4 (AUTHORITY_INVALID)

--> is_issued_by_known_root = false

--> net_error = -202 (ERR_CERT_AUTHORITY_INVALID) --> public_key_hashes = [] -

-> scts = {"scts":[]}

Chromedriver has been started with flags "--ignore-certificate-errors" and "--disable-web-security".

Thanks.

[Ryan Sleevi]

On Thu, Jul 8, 2021 at 6:48 PM 'Xing Xu' via net-dev <net...@chromium.org> wrote:

Hi,

I'm running an integration test for a Chrome feature using chromedriver. During the test chromedriver will contact a Google server. That request failed, error is ERR_SSL_CLIENT_AUTH_CERT_NEEDED in the netlog.

Is this that the server is complaining that chromedriver has not authenticated itself, or something else?

Yes. This is a server-side issue requesting or requiring a client certificate, and whatever code you have is not providing one (i.e. it's likely using a SimpleURLLoader)

 

I'm trying to see what's the fix, or even before that, the fix should be at the chromedriver side or that server?

Since I see the @google.com mail, focus on the server. It's almost always a misconfiguration on a Google internal server. Chromium unfortunately has been unable to properly align with the Fetch spec due to widespread misconfigured internal servers (https://crbug.com/775438), but there are ways to configure the server to properly work (with SimpleURLLoader and with other browsers).

There are also two (unfortunately restricted) bugs - https://crbug.com/1221562 and https://crbug.com/1221565 - that provide a little more detail. The TL;DR; is that the flag that was added to support Google internal teams for testing with servers that require client certificates ("--ignore-urlfetcher-cert-requests") regressed earlier this year, and was only just noticed. It's not actively being worked on, as it was always meant as a "short-term hack" until these servers could be updated, but it's why there's not a quick-and-easy fix. If it's important to your workflow, https://crbug.com/1221562 has some suggestions on what could be done to restore the hack, but focusing on the server would be better.

This is largely an artifact of how client certificates do not, and have never, worked that great with the Web Platform. They are best avoided entirely, because they're somewhat fundamentally counter to the architecture of the Web (Request/Response flows), and interfere with protocols like HTTP/2 and HTTP/3 in practice.