Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to ignore ssl certificate warning or pass a self signed certificate (from inside gruntfile) during accessibility automation?

I am using the grunt-accessibility plugins to automate the reporting for accessibility errors. It works fine for normally, but when I try it on a site which has a self signed certificate (the kind which shows an interim page with some certificate security warning and a link to continue to the site if you still wish to), it reports the error on that interim page itself which is, of course an empty page:

<html>
    <head></head>
    <body></body>
</html>

Obviously I want to bypass this interim page and run accessibility on the actual page.

What I was trying?

I had tried the following (found from googling and from other SO's Q&A):

  1. The infamous hack

    npm set strict-ssl false
    
  2. Adding the imported certification path

    npm config set cafile="C:\path\to\cert.cer"
    
  3. Adding process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0" (see Grunfile below)

From what I gather, grunt-accessibility uses AccessSniff which in turn uses phantomjs. Now, phantomjs has options to ignore such warnings by

--ignore-ssl-errors=[true|false] ignores SSL errors, such as expired or self-signed certificate errors (default is false).

Above is the CLI options, which I am not able to pass from Grunfile.js. Can someone help me resolve or suggest another approach for the issue.

This is my Gruntfile.js:

module.exports = grunt => {
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

  grunt.initConfig({
    phantomjs: {
      // default: {
        options: {
          "ignore-ssl-errors": true,
          // tested here with different instructions as per comments 
          // below from users on this site, such as
          // "--ignore-ssl-errors": true (-- hyphen)
          // "ignore-ssl-errors": "true" ("true" as string)
          "ssl-protocol": "any",
          "ssl-certificates-path": "C:/path/to/cert.cer"
        }
      // }
    },
    accessibility: {
      options: {
        force: true,
        accessibilityLevel: 'WCAG2AAA',
        browser: true // tested with both true/false, i.e. opt for phantomjs/jsDom
      },
      test: {
        options: {
          urls: ['https://self-signed.badssl.com/']
        },
        src: ['example/test.html']
      }
    }
  });

  grunt.loadNpmTasks('grunt-accessibility');
  grunt.registerTask('default', ['accessibility']);
};

P.S.:

  • test url is an actual self-signed ssl site, so you can copy/paste the above code and test it

  • only dependencies in package.json

    "devDependencies": {
        "grunt": "^1.0.1",
        "grunt-accessibility": "^5.0.0"
    }
    
  • node version v.8.9.0

like image 214
n4m31ess_c0d3r Avatar asked Jan 10 '18 19:01

n4m31ess_c0d3r


People also ask

How do I stop a self-signed certificate warning?

To suppress warnings from a self-signed certificate, the domain component of the ArcGIS Server URL must match the Common Name property of the certificate. To learn how to set this property, see Enabling SSL on ArcGIS Server.

How do I ignore an SSL certificate error?

Ignore SSL Certificate Checks with Curl. To ignore invalid and self-signed certificate checks on Curl, use the -k or --insecure command-line option. This option allows Curl to perform "insecure" SSL connections and skip SSL certificate checks while you still have SSL-encrypted communications.

How do I fix SSL self-signed certificate vulnerability?

The self-signed certificate can be mitigated by using a certificate from trusted CA and the certificates can be imported to switch using any of the following CLIs: download ssl ipaddress certificate ssl-cert cert_file. download ssl ipaddress privkey key_file.


1 Answers

I don't think you can directly affect how PhantomJS is called from within another Grunt plugin within your own Gruntfile.

If I'm not mistaken, the only solution is to either commit a change to the grunt-accessibility package that passes an ignore-ssl-errors option (in the the options you pass to grunt-accessibility) upstream to PhantomJS; or to intercept the call to PhantomJS and inject the ignore-ssl-errors option.

I think the second solution will be the quickest and most expedient. You'd have to either manually modify the entry point (either node_modules/.bin/phantomjs or node_modules/phantomjs/index.js) or write a pre-run script that would modify it. In the modified .js file, you'd inject the ignore-ssl-errors by adding code to the top of the file that appends it to the process.argv array:

process.argv.push("--ignore-ssl-errors=true");
like image 132
Roy Tinker Avatar answered Oct 01 '22 05:10

Roy Tinker