Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate loading CA certificates from OS #52880

Closed
chrmarti opened this issue Jun 26, 2018 · 6 comments
Closed

Investigate loading CA certificates from OS #52880

chrmarti opened this issue Jun 26, 2018 · 6 comments
Assignees
Labels
plan-item VS Code - planned item for upcoming proxy Issues regarding network proxies windows VS Code on Windows issues
Milestone

Comments

@chrmarti
Copy link
Collaborator

That node module adds the root certificates registered in Windows to node. Node by default only knows a hardcoded set of certificates that is copied from Mozilla: microsoft/vscode-github-issues-prs#28 (comment)

A success story: microsoft/vscode-github-issues-prs#28 (comment)

@joaomoreno joaomoreno added this to the July 2018 milestone Jun 26, 2018
@joaomoreno joaomoreno added feature-request Request for new features or functionality windows VS Code on Windows issues proxy Issues regarding network proxies labels Jun 26, 2018
@joaomoreno
Copy link
Member

cc @egamma possible plan item

@chrmarti
Copy link
Collaborator Author

Good old Node.js: This works, except that the https.globalAgent.options.ca is ignored when you pass an agent with the options to https.get/request. In that case you also need to pass the ca with the options. Of course not all node modules (e.g., adal-node for AAD sign-in) allow you to pass options to their requests, but pass an agent themselves.

For testing I used https://github.com/salrashid123/squid_proxy:

docker run  -p 3128:3128 -ti docker.io/salrashid123/squidproxy /apps/squid/sbin/squid -NsY -f /apps/squid.conf.intercept
wget https://raw.githubusercontent.com/salrashid123/squid_proxy/master/CA_crt.pem
curl -v --cacert CA_crt.pem -x localhost:3128  https://www.yahoo.com

@ejizba
Copy link

ejizba commented Mar 18, 2019

@chrmarti I tried this on insiders and it made my life so much easier! Thanks!

For context, I was trying to debug something in our Azure extensions with Fiddler, but was getting cert issues since Fiddler inserts a cert to decrypt https traffic. This will definitely help our users as well - we've seen several reports of cert issues in the past

@chrmarti
Copy link
Collaborator Author

That's great to hear @EricJizbaMSFT! I'd be very interested in cases where it does not work or even breaks previously working setups. Let me know when you hear about any of these.

@UnwashedMeme
Copy link

It does not work for me with insiders build

Version: 1.33.0-insider
Commit: 1efaca21afeb983a8efdae6a6b142bd00276c563
Date: 2019-03-20T08:20:09.900Z
Electron: 3.1.6
Chrome: 66.0.3359.181
Node.js: 10.2.0
V8: 6.6.346.32
OS: Linux x64 4.15.0-46-generic

Related to microsoft/vscode-azure-account#89;

I try to create a cloud shell and get

Requesting a Cloud Shell...
Connecting terminal...
Socket error: {"code":"UNABLE_TO_GET_ISSUER_CERT_LOCALLY"}
Socket closed
{ RequestError: Error: unable to get local issuer certificate
    at new i (/home/njbird/.vscode-insiders/extensions/ms-vscode.azure-account-0.8.0/dist/cloudConsoleLauncher.js:221:323298)
    at H.callback (/home/njbird/.vscode-insiders/extensions/ms-vscode.azure-account-0.8.0/dist/cloudConsoleLauncher.js:221:321984)
    at H.e.callback.a.callback [as _callback] (/home/njbird/.vscode-insiders/extensions/ms-vscode.azure-account-0.8.0/dist/cloudConsoleLauncher.js:221:321430)
    at a._callback.a.callback.a.callback (/home/njbird/.vscode-insiders/extensions/ms-vscode.azure-account-0.8.0/dist/cloudConsoleLauncher.js:181:5498)
    at H.emit (events.js:182:13)
    at H.onRequestError (/home/njbird/.vscode-insiders/extensions/ms-vscode.azure-account-0.8.0/dist/cloudConsoleLauncher.js:181:14553)
    at ClientRequest.emit (events.js:182:13)
    at TLSSocket.socketErrorListener (_http_client.js:382:9)
    at TLSSocket.emit (events.js:182:13)
    at emitErrorNT (internal/streams/destroy.js:82:8)
    at emitErrorAndCloseNT (internal/streams/destroy.js:50:3)
    at process._tickCallback (internal/process/next_tick.js:63:19)
  name: 'RequestError',
  message: 'Error: unable to get local issuer certificate',
  cause:
   { Error: unable to get local issuer certificate
       at TLSSocket.onConnectSecure (_tls_wrap.js:1055:34)
       at TLSSocket.emit (events.js:182:13)
       at TLSSocket._finishInit (_tls_wrap.js:635:8) code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' },
  error:
   { Error: unable to get local issuer certificate
       at TLSSocket.onConnectSecure (_tls_wrap.js:1055:34)
       at TLSSocket.emit (events.js:182:13)
       at TLSSocket._finishInit (_tls_wrap.js:635:8) code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' },
  options:
   { uri:
      'https://gateway02.eastus.console.azure.com:443/n/cc-b0fbcbde/cc-b0fbcbde/terminals/6548bf76af5cb4f0dc017a6878471e79/size?cols=121&rows=19',
     method: 'POST',
     headers:
      { Accept: 'application/json',
        'Content-Type': 'application/json',
        Authorization:
         'Bearer ...' },
     simple: false,
     resolveWithFullResponse: true,
     json: true,
     callback: [Function],
     transform: undefined,
     transform2xxOnly: false },
  response: undefined }

This is going through a corporate intercepting proxy. It fails whether or not I am explicitly using the proxy on port 3128 or going directly (which is transparently intercepted).

@chrmarti
Copy link
Collaborator Author

@UnwashedMeme That's the cloudConsoleLauncher.js of Azure Account which doesn't benefit from this change because it runs in a separate process. This is tracked as microsoft/vscode-azure-account#111.

@chrmarti chrmarti added plan-item VS Code - planned item for upcoming and removed feature-request Request for new features or functionality labels Mar 25, 2019
@vscodebot vscodebot bot locked and limited conversation to collaborators May 9, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
plan-item VS Code - planned item for upcoming proxy Issues regarding network proxies windows VS Code on Windows issues
Projects
None yet
Development

No branches or pull requests

4 participants