Want to Ignore invalid certificate of a device
-
@blackreaperr + @LonM: For me the switch "--ignore-certificate-errors" does not work either. Has there anything been changed or this variable been removed from Chromium and/or Vivaldi?
-
@patrickweiden said in Setting to Ignore Invalid/Missing SSL Certificates:
For me the switch "--ignore-certificate-errors" does not work either.
That command line parameter does not catch all problems of SSL connections.
How did you test that?Has there anything been changed or this variable been removed from Chromium and/or Vivaldi?
Which Vivaldi version?
How do you add the parameter? -
@DoctorG: I tested it myself with a local printer which offers a certificate not known to my OS and Vivaldi Snapshot (current version).
Can you tell me how I can tell Vivaldi to accept any certificate I would like to (whether invalid, valid and unknown, no certificate at all, etc.)? Thank you!
-
@patrickweiden In Windows: add certificate to user certificates manager.
/edit:
Oh, i guess you have no access to the printer's SSL certifcate.PS: You make it easier for helpers if you tell the correct OS and Vivaldi version you use.
-
@DoctorG: Is there any way to just tell the browser "do not care about the certificate and connect me to that site"?
(And sorry, current Vivaldi Snapshot version 5.5.2770.3 (Official Build) (64-bit) in Windows 10 (and 11).) -
@patrickweiden Wait, i try to test with my router if anything can help.
/edit2: works with parameter for my router and my web server in LAN.
-
@patrickweiden if you get a SSL error page, type blindly after the page appears the word
thisisunsafe
Which error message page do you get with your printer?
-
PPathduck moved this topic from Desktop Feature Requests on
-
Looks like the cmd argument was removed:
https://peter.sh/experiments/chromium-command-line-switches/?date=2019-08-13#ignore-certificate-errorsBut it still seems to work though, for some reason... strange.
Launching Vivaldi with:
vivaldi.exe --ignore-certificate-errors
And going to:
https://wrong.host.badssl.com
I get directly to the red page.Latest Stable on Win10 x64.
-
@DoctorG: I tested with another page with an "invalid" certificate (invalid in terms of not-known to Vivaldi) and the screen usually prompting whether to proceed back to safety of to the site did not appear.
With my printer, I seem to have the problem with cipher suites mismatching between the printer and the OS and/or Vivaldi. I get the error code "ERR_SSL_VERSION_OR_CIPHER_MISMATCH". And I did not yet find any suitable solution to let both parts find a matching cipher suite. Hence, for this I need to further use Firefox (and the Chromium bugtracker report to this issue is already about 4 years old and there does not seem to be any progress on letting the user continue to the site even if it it insecure - null cipher)...
The used cipher is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with a 256 bit key using TLS 1.2 (tells me Firefox).
-
@Pathduck: This is true for me, too.
-
@patrickweiden Yes, that's not a certificate error. Most likely your device is using an outdated SSL/TLS version no longer supported (SSL, TLS 1.0/1.1).
On BadSSL this is under Key Exchange/Protocol and will still fail with the flag - because it's not a certificate error.
On my local router I can enable SSL for the admin interface, and I have added the self-signed cert to the trusted intermediate cert store for my user.
You can use a tool to find what protocol your device supports:
https://github.com/rbsec/sslscan/releases/For my router:
SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 disabled
So when TLSv1.2 is no longer supported by browsers (not soon) I will no longer be able to use HTTPS to connect.
https://endoflife.software/protocols/encryption/tls -
@Pathduck: The used cipher is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with a 256 bit key using TLS 1.2 (tells me Firefox).
(Why) Is this a bad cipher (256 bit AES in Gallois Counter Mode should be OK, maybe SHA384 makes the problem?)?
-
@patrickweiden No, that should be supported by Chrome/Vivaldi.
You can test the browser support for Ciphers here:
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.htmlSo I don't know what's wrong.
You say it works in FF - what have you changed in FF to make it work? Any about:config values?
Does it work in Chrome/Opera/Brave/Edge?You might be able to create a log file using:
vivaldi://net-export
Then the log file can be analysed in the Netlog viewer. I recommend closing all opened tabs/using a clean profile when doing this to only catch what you want.What does OpenSSL say about ciphers/protocols?
openssl s_client -connect host:port
You can get the OpenSSL binary from here if you don't have it: https://wiki.openssl.org/index.php/Binaries
-
@patrickweiden Vivaldi can use this cipher and TLS 1.2. That is not the issue.
-
@patrickweiden ERR_SSL_VERSION_OR_CIPHER_MISMATCH comes my server, too, if i do use only with TLS 1.2 + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
Wait…
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 works only if TLS 1.3 is active, tested with Firefox 103 and Chromium 104!I fear your printer has a older ssl library which is not compatible to current Mozillas and Chromiums.
-
@patrickweiden One million up votes....
I just downloaded Vivalda and can not access the Vivalda forum using Vivalda browser because of certificate errors. I am using waterfox browser to write this post.
It is a windows 7 thing for me, If i boot to 10 I do not get any errors. Windows 10 sucks so bad i would rather deal with the errors.
Chris
-
@chris21224 You should enable TLS 1.2 to visit this forum. Perhaps your Windows 7 has not updated its certificate store.
-
Oh, i see that the forum is protected by Cloudflare and a certificate from CF. I do not know if Cloudflare breaks users SSL connection.
@chris21224 @patrickweiden
Feel free to report as a issue for product "vivaldi,net website" at report bug to Vivaldi tracker , a admin will check it.
Sorry for unconvenience. -
@DoctorG said in Want to Ignore invalid certificate of a device:
@patrickweiden Vivaldi can use this cipher and TLS 1.2. That is not the issue.
Well, that Vivaldi can use it I just recently verified with SSLLabs:
Unfortunately, Vivaldi cannot connect to the printer:
Fortunately, Firefox (Nightly, current version) can:
What I currently use to start my Vivaldi Snapshot, is the following line:
Vivaldi_Snapshot\Application\vivaldi_proxy.exe --profile-directory=Default --debug-packed-apps --silent-debugger-extension-api --process-per-site --enable-quic --quic-version=h3-29 --ignore-certificate-errors
Maybe it is the QUIC protocol which makes some trouble here??
@Pathduck: I am not aware of any "(HTTPS-/SSL-/TLS-)security-related" changes in about:config or any other FF config except enabling TLS1.3 some time ago. The only thing I needed to do was to make a "security exception" to allow me to enter the site. From then on, I could open the page.
Any other Chromium-based browsers (Edge, Brave, Chrome) that I tried did not work either. All report the exact same problem.
On my Windows 10 machine, according to the Internet Settings (via IE), TLS 1.1 and TLS 1.2 are enabled, TLS 1.3 is disabled (by GPO of my company).
On my private laptop running Windows 11, I will check in some minute what is enabled and what not./edit: According to the Internet Options on my Windows 11 machine, TLS 1.2 and TLS 1.3 are enabled, SSL 3.0, TLS 1.0 and TLS 1.1 are all disabled.
-
@DoctorG said in Want to Ignore invalid certificate of a device:
@patrickweiden ERR_SSL_VERSION_OR_CIPHER_MISMATCH comes my server, too, if i do use only with TLS 1.2 + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
Wait…
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 works only if TLS 1.3 is active, tested with Firefox 103 and Chromium 104!I fear your printer has a older ssl library which is not compatible to current Mozillas and Chromiums.
Well, my FF tells me that the connection is using that cipher with TLS 1.2. (See screenshot in my last post.) So, what am I supposed to do? In Vivaldi I cannot even see any sort of ciphers being tried. In the Network section in the Developer Tools I can also only see the following:
So, I am open for further discussions. I will also try to get a log file in order to hopefully get more information about the network request and answer...