Bug 155132

Summary: Regression tests cannot load video over HTTPS with self-signed certificate
Product: WebKit Reporter: Daniel Bates <dbates>
Component: Tools / TestsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, eric.carlson, hector_i_lopez, jer.noble, lforschler, tsavell, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch none

Description Daniel Bates 2016-03-07 13:51:47 PST 
The test LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html, included in the attachment #273068 [details] (bug #154122), fails when run using run-webkit-tests on OS X 10.11.3 (15D19) with the following console output:

3/7/16 1:49:58.938 PM com.apple.WebKit.WebContent.Development[63455]: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
3/7/16 1:49:58.940 PM com.apple.WebKit.WebContent.Development[63455]: [13:49:58.940] HTTPRequest figHttpRequestDidFailCallback: Network error: domain=kCFErrorDomainCFNetwork, code=-1202, Error Domain=kCFErrorDomainCFNetwork Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be �127.0.0.1� which could put your confidential information at risk." UserInfo={NSErrorFailingURLStringKey=https://127.0.0.1:8443/media-resources/content/test.mp4, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, kCFStreamPropertySSLPeerCertificates=(
    "<SecCertificate 0x7fd872b85bc0 [0x7fff7ae80440]>"
), _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x7fd872b87310 [0x7fff7ae80440]>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be �127.0.0.1� which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://127.0.0.1:8443/media-resources/content/test.mp4, _kCFStreamErrorCodeKey=-9813} for https://127.0.0.1:8443/media-resources/content/test.mp4

Notice that the certificate for https://127.0.0.1:8443 is a self-signed certificate.
Comment 1 youenn fablet 2016-07-08 06:00:22 PDT 
The same problem happens for some web-platform-tests tests, for instance imported/w3c/web-platform-tests/fetch/api/cors/cors-basic.html

The stderr is:
2016-07-08 14:45:32.887 com.apple.WebKit.Networking.Development[83486:12370795] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
2016-07-08 14:45:32.907 com.apple.WebKit.Networking.Development[83486:12370795] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
2016-07-08 14:45:32.911 com.apple.WebKit.Networking.Development[83486:12370795] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

I tried using testRunner.setAllowsAnySSLCertificate.
It seems to work only for DRT, not WTR. Is this a known bug?

Web-platform-tests server is now always reusing the same certificate, like httpd.
Maybe there is a way to register wpt and httpd certificates to DRT and WTR?
Comment 2 Alexey Proskuryakov 2016-07-08 09:42:31 PDT 
> It seems to work only for DRT, not WTR. Is this a known bug?

Yes. The good news is that it should work on macOS Sierra.

The way it works is that in DumpRenderTree, we set a global NSURLConnection setting (via +[NSURLRequest setAllowsAnyHTTPSCertificate:forHost:]), so any loads in the process are affected by it. In WebKitTestRunner, we use a proper delegate based solution, but that means that only network loads performed by WebKit are affected. Media loads used to bypass WebKit.
Comment 3 youenn fablet 2016-08-04 23:34:49 PDT 
I hit this bug again as part of bug 160445.
Comment 4 Hector Lopez 2020-07-16 11:36:31 PDT 
Created attachment 404471 [details]
Patch
Comment 5 Truitt Savell 2020-07-16 11:45:11 PDT 
This test http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html 

is passing on all of Mac according to history: 
https://results.webkit.org/?suite=layout-tests&test=http%2Ftests%2Fsecurity%2FcontentSecurityPolicy%2Fvideo-with-https-url-allowed-by-csp-media-src-star.html

We are removing the expectations
Comment 6 EWS 2020-07-16 12:05:00 PDT 
Committed r264472: <https://trac.webkit.org/changeset/264472>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 404471 [details].
Comment 7 Radar WebKit Bug Importer 2020-07-16 12:05:18 PDT 
<rdar://problem/65681397>