Forum How do I...?

Why does allowing --insecure break secure resources?

natevw
I have a page that includes the resource `<link rel="stylesheet" href="https://use.typekit.net/APIKEY.css">` to provide some font faces.

I've run into a surprising issue. If I pass the `--insecure` option to Prince, the load fails and the special fonts don't get used:

Thu Sep 28 15:07:46 2017: loading style sheet: https://use.typekit.net/APIKEY.css
Thu Sep 28 15:07:46 2017: https://use.typekit.net/APIKEY.css: warning: SSL: CA certificate set, but certificate verification is disabled
Thu Sep 28 15:07:46 2017: used font: Times New Roman, Regular


But if I leave the option out, it works just fine!

Thu Sep 28 15:19:34 2017: loading style sheet: https://use.typekit.net/APIKEY.css
Thu Sep 28 15:19:35 2017: loading style sheet: https://p.typekit.net/p.css?s=1&k=…snip…&app=typekit&e=css
Thu Sep 28 15:19:36 2017: used font: Adobe Garamond Pro, Regular


Why would allowing insecure fetches make Prince break when fetching over an already-trusted TLS connection?

(I found an old related thread in http://www.princexml.com/forum/topic/2919/ssl-on-osx-yosemite but it was not answered.)
mikeday
Strange, it looks like in the latter case it's being redirected to a different URL, or importing another style sheet, maybe you could try running curl on the URL and see what content or redirects it's getting back?
natevw
The file at https://use.typekit.net/APIKEY.css includes this code:

@import url("https://p.typekit.net/p.css?s=1&k=…snip…&app=typekit&e=css");



So it's not a redirect, just an import that gets processed when it successfully loads the first file. So there's nothing unexpected there.

The question is just: why can't prince load
https://use.typekit.net/APIKEY.css
when
--insecure
is set?

You can test it yourself, here just using one of Adobe's own TypeKit keys. Save this as "test_ssl.html":

<!doctype html>
<html><head>
  <title>Test Prince HTTPS loading</title>
  <link rel="stylesheet" href="https://use.typekit.com/glm4yoq.css">
</head><body>
  <span style="font-family: adobe-clean">Testing 123</span>
</body></html>



If you run just plain `prince test_ssl.html`, it outputs a PDF with the "Adobe Clean" sans serif font. There are no HTTPS issues, the cert is valid, etc. etc. No surprises there.

But if you run `prince --insecure test_ssl.html` it gives the "CA certificate set, but certificate verification is disabled" warning and the resulting PDF just falls back to Times New Roman or some similar serif font.

It's almost like allowing insecure resources, means anything loaded over HTTPS has to have a bad certificate or something??

Edited by natevw

natevw
So I tweaked my example to test my theory:

<!doctype html>
<html><head>
  <title>Test Prince HTTPS loading</title>
  <link rel="stylesheet" href="https://use.typekit.com/glm4yoq.css">
</head><body>
  <span style="font-family: adobe-clean">Testing 123</span>
  <img src="https://wrong.host.badssl.com/icons/icon-red.png">
</body></html>


Without anything, the font loads as before but the image gets blocked as expected since that BadSSL subdomain has an intentionally broken certificate.

With --insecure, the font fails to load AND the image STILL fails to load!


So it basically seems like --insecure is just completely broken, unless I misunderstand its purpose? Docs just say:

--insecure
Disable SSL verification (not recommended).


…so I guess technically SSL verification gets "disabled" but not in the way I would expect. I thought it would allow any SSL resources regardless of whether they verified or not. This is what the curl --insecure option does. But in Prince this option seems to just block all SSL?
mikeday
Which platform are you running Prince on?
natevw
This is under macOS 10.11.6 at least.

(The system curl command exhibits the more natural behavior I would expect with its own `--insecure` flag, and I don't see this warning when testing the resources directly with it, so presumably this isn't just an Apple OpenSSL library thing.)

Edited by natevw

mikeday
Do you see a similar issue if you try running Prince on "https://www.princexml.com"?
natevw
I do see the same issue.

When using the --insecure option with the HTTPS scheme, nothing is generated from the Prince homepage:

$ prince --insecure https://www.princexml.com -o test.pdf
prince: https://www.princexml.com/: error: SSL: CA certificate set, but certificate verification is disabled
prince: https://www.princexml.com/: error: could not load input file
prince: error: failed to load all input documents
$ echo $?
1
$ stat test.pdf
stat: test.pdf: stat: No such file or directory
natevw
Awaiting confirmation from the ops team, but this does not appear to be broken on our Linux server. The `--insecure` flag does break HTTPS resources on other team members' OS X machines though, so perhaps this is Mac-specific.

(I also noticed there's a separate "Bugs" section of the forum… should/could a moderator move this thread to there?)