Want to Ignore invalid certificate of a device

DoctorG

@patrickweiden In Windows: add certificate to user certificates manager.

/edit:
Oh, i guess you have no access to the printer's SSL certifcate.

PS: You make it easier for helpers if you tell the correct OS and Vivaldi version you use.

patrickweiden

@DoctorG: Is there any way to just tell the browser "do not care about the certificate and connect me to that site"?
(And sorry, current Vivaldi Snapshot version 5.5.2770.3 (Official Build) (64-bit) in Windows 10 (and 11).)

DoctorG

@patrickweiden Wait, i try to test with my router if anything can help.

/edit2: works with parameter for my router and my web server in LAN.

DoctorG

@patrickweiden if you get a SSL error page, type blindly after the page appears the word thisisunsafe

Which error message page do you get with your printer?

Pathduck

Looks like the cmd argument was removed:
https://peter.sh/experiments/chromium-command-line-switches/?date=2019-08-13#ignore-certificate-errors

But it still seems to work though, for some reason... strange.

Launching Vivaldi with:
vivaldi.exe --ignore-certificate-errors

And going to:
https://wrong.host.badssl.com
I get directly to the red page.

Latest Stable on Win10 x64.

patrickweiden

@DoctorG: I tested with another page with an "invalid" certificate (invalid in terms of not-known to Vivaldi) and the screen usually prompting whether to proceed back to safety of to the site did not appear.

With my printer, I seem to have the problem with cipher suites mismatching between the printer and the OS and/or Vivaldi. I get the error code "ERR_SSL_VERSION_OR_CIPHER_MISMATCH". And I did not yet find any suitable solution to let both parts find a matching cipher suite. Hence, for this I need to further use Firefox (and the Chromium bugtracker report to this issue is already about 4 years old and there does not seem to be any progress on letting the user continue to the site even if it it insecure - null cipher)...

The used cipher is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with a 256 bit key using TLS 1.2 (tells me Firefox).

patrickweiden

@Pathduck: This is true for me, too.

Pathduck

@patrickweiden Yes, that's not a certificate error. Most likely your device is using an outdated SSL/TLS version no longer supported (SSL, TLS 1.0/1.1).

On BadSSL this is under Key Exchange/Protocol and will still fail with the flag - because it's not a certificate error.

On my local router I can enable SSL for the admin interface, and I have added the self-signed cert to the trusted intermediate cert store for my user.

You can use a tool to find what protocol your device supports:
https://github.com/rbsec/sslscan/releases/

For my router:

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   disabled

So when TLSv1.2 is no longer supported by browsers (not soon) I will no longer be able to use HTTPS to connect.
https://endoflife.software/protocols/encryption/tls

patrickweiden

@Pathduck: The used cipher is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with a 256 bit key using TLS 1.2 (tells me Firefox).

(Why) Is this a bad cipher (256 bit AES in Gallois Counter Mode should be OK, maybe SHA384 makes the problem?)?

Pathduck

@patrickweiden No, that should be supported by Chrome/Vivaldi.

You can test the browser support for Ciphers here:
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

So I don't know what's wrong.

You say it works in FF - what have you changed in FF to make it work? Any about:config values?
Does it work in Chrome/Opera/Brave/Edge?

You might be able to create a log file using:
vivaldi://net-export
Then the log file can be analysed in the Netlog viewer. I recommend closing all opened tabs/using a clean profile when doing this to only catch what you want.

What does OpenSSL say about ciphers/protocols?
openssl s_client -connect host:port

You can get the OpenSSL binary from here if you don't have it: https://wiki.openssl.org/index.php/Binaries

DoctorG

@patrickweiden Vivaldi can use this cipher and TLS 1.2. That is not the issue.

DoctorG

@patrickweiden ERR_SSL_VERSION_OR_CIPHER_MISMATCH comes my server, too, if i do use only with TLS 1.2 + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
Wait…
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 works only if TLS 1.3 is active, tested with Firefox 103 and Chromium 104!

I fear your printer has a older ssl library which is not compatible to current Mozillas and Chromiums.

chris21224

@patrickweiden One million up votes....

I just downloaded Vivalda and can not access the Vivalda forum using Vivalda browser because of certificate errors. I am using waterfox browser to write this post.

It is a windows 7 thing for me, If i boot to 10 I do not get any errors. Windows 10 sucks so bad i would rather deal with the errors.

Chris

DoctorG

@chris21224 You should enable TLS 1.2 to visit this forum. Perhaps your Windows 7 has not updated its certificate store.

DoctorG

Oh, i see that the forum is protected by Cloudflare and a certificate from CF. I do not know if Cloudflare breaks users SSL connection.

@chris21224 @patrickweiden
Feel free to report as a issue for product "vivaldi,net website" at report bug to Vivaldi tracker , a admin will check it.
Sorry for unconvenience.

patrickweiden

@DoctorG said in Want to Ignore invalid certificate of a device:

@patrickweiden Vivaldi can use this cipher and TLS 1.2. That is not the issue.

Well, that Vivaldi can use it I just recently verified with SSLLabs:

Unfortunately, Vivaldi cannot connect to the printer:

Fortunately, Firefox (Nightly, current version) can:

What I currently use to start my Vivaldi Snapshot, is the following line:

Vivaldi_Snapshot\Application\vivaldi_proxy.exe --profile-directory=Default --debug-packed-apps --silent-debugger-extension-api --process-per-site --enable-quic --quic-version=h3-29 --ignore-certificate-errors

Maybe it is the QUIC protocol which makes some trouble here??

@Pathduck: I am not aware of any "(HTTPS-/SSL-/TLS-)security-related" changes in about:config or any other FF config except enabling TLS1.3 some time ago. The only thing I needed to do was to make a "security exception" to allow me to enter the site. From then on, I could open the page.

Any other Chromium-based browsers (Edge, Brave, Chrome) that I tried did not work either. All report the exact same problem.
On my Windows 10 machine, according to the Internet Settings (via IE), TLS 1.1 and TLS 1.2 are enabled, TLS 1.3 is disabled (by GPO of my company).
On my private laptop running Windows 11, I will check in some minute what is enabled and what not.

/edit: According to the Internet Options on my Windows 11 machine, TLS 1.2 and TLS 1.3 are enabled, SSL 3.0, TLS 1.0 and TLS 1.1 are all disabled.

patrickweiden

@DoctorG said in Want to Ignore invalid certificate of a device:

@patrickweiden ERR_SSL_VERSION_OR_CIPHER_MISMATCH comes my server, too, if i do use only with TLS 1.2 + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
Wait…
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 works only if TLS 1.3 is active, tested with Firefox 103 and Chromium 104!

I fear your printer has a older ssl library which is not compatible to current Mozillas and Chromiums.

Well, my FF tells me that the connection is using that cipher with TLS 1.2. (See screenshot in my last post.) So, what am I supposed to do? In Vivaldi I cannot even see any sort of ciphers being tried. In the Network section in the Developer Tools I can also only see the following:

So, I am open for further discussions. I will also try to get a log file in order to hopefully get more information about the network request and answer...

patrickweiden

Please tell me how I can provide you with a "short log export". I already did a mostly short log export with all relevant information trivially visible (but everything else being stripped), but it is too long to post here. How can I provide you a log file for further analysis.

Pathduck

@patrickweiden said in Want to Ignore invalid certificate of a device:

Vivaldi_Snapshot\Application\vivaldi_proxy.exe --profile-directory=Default --debug-packed-apps --silent-debugger-extension-api --process-per-site --enable-quic --quic-version=h3-29 --ignore-certificate-errors

First of all, why are you calling vivaldi_proxy instead of vivaldi.exe directly?

And yes, remove the QUIC flags, do you even know why you have those? QUIC has been enabled by default for a very long time now, no need to enable with flags.

And what's that --process-per-site about? You really shouldn't run experimental cmd switches without being 100% sure what good they do. Documentation for the switch says: "You probably want the other one."
https://peter.sh/experiments/chromium-command-line-switches/#process-per-site

It certainly doesn't hurt to remove them for testing and that's one of the first things I would've done. Everything that differs from defaults are potential error causes.

Also:

• Have you tried Vivaldi in a clean profile to exclude any other flags you've messed with or installed extensions causing problems?
• Google the make and model of your device and the error message to see if anyone else has had the same problem?
• Run the sslscan and openssl tests to get some details on what exactly that device is using/supporting.
• Get a net-export log and analyse the requests for details about the protocol used.
• This looks like it's a Standalone install? Try a Stable install instead of Snapshot, it also works as a clean profile test of course.

Pathduck

@patrickweiden said in Want to Ignore invalid certificate of a device:

Please tell me how I can provide you with a "short log export". I al

Not sure what you mean by "short log"? Have you captured a log from vivaldi://net-export? You can analyse it yourself in the netlog viewer, you seem like the technical sort, I'm sure you can understand how it works

Like I said earlier, to get only data from the device connection you should close all other tabs creating network traffic and focus on recreating just the issue, no other traffic causing an irrelevant mess of logging. Ideally run the capture in a clean profile.

"SOCKET" is the kind of connections you'd be interested in looking at.

The net export log will naturally contain some internal info like IP etc, the "strip private information" option does not remove this. But if you zip and upload it somewhere I can take a look (or DoctorG). Make sure to specify what to look for and relevant timestamps/addresses.