Skip proxies with MITM root certificates by setting RUSTUP_USE_UNSAFE_SSL env var #1624
Conversation
|
Firstly, thank you for contribution to However If others feel that this is worthwhile then I will not block the functionality. Given that, before we can accept your change we'll need a few things doing:
|
|
@kinnison I agree that fixing the root certificates is fundamentally the better option, but on Windows they are extremely flaky. Browsers work fine, but maven and curl, for example, can't pick our corporate root certificate and must be fed a custom keystore. In addition, curl must be given all certificates at once (you can append certificates to reqwest), so with a proxy that sometimes uses the original and sometimes the corporate certificate managing the keystores is a real pain. Regarding the todo list, I am not even sure how to test this. The test should basically self-sign a TLS certificate, spin up an HTTPS server and then test the connection, shouldn't it? |
|
Okay, I understand the pain, I guess I forget how Windows can muck things up. Regarding the test, sadly currently we use |
|
An update on the unit testing. Unfortunately, hyper doesn't support TLS on its server, so I went looking for another one. tiny_http does, but the support is broken, I had to build it from some fork that has a pending unmerged fix. I'm pushing the fix mostly to check it against Travis CI, please don't merge it until I replace the server with a proper crate. If you have any advice, I'll eagerly welcome it. |
orthoxerox
force-pushed
the
mitm-proxy
branch
2 times, most recently
from
6132786 to
22c2e22
Compare
|
Well, that was quite a ride. After wrangling with error messages for types that were six lines long I've managed to replace my unit tests with something that needs only tokio. I think this PR is now ready for review. |
|
@orthoxerox thanks for that, I've been busy with work but I'll endeavour to give this a proper review within the next few days. |
orthoxerox
force-pushed
the
mitm-proxy
branch
from
22c2e22 to
1e6c852
Compare
|
@kinnison Thanks, I've updated the unit test to look less like "my first Tokio program". |
|
|
||
| if [ -n "$RUSTUP_USE_UNSAFE_SSL" ]; then | ||
| _curl_unsafe = "--insecure" | ||
| _wget_unsafe = "--no-check-certificate" |
There was a problem hiding this comment.
Are these long options reliable for all implementations of wget? E.g. does BSD have different arguments? I'll be satisfied if you say "yes" but I'd like to ensure you've checked.
There was a problem hiding this comment.
AFAIK wget is a GNU program, not a POSIX command that is different on other UNIX-like OSes. NetBSD, of example, works with wget 1.17, and this option has been there since 1.10
Basically, the answer is yes.
There was a problem hiding this comment.
BusyBox uses a non-standard wget. For instance: the -N flag does not exist in BusyBox wget. So one should not assume a single implementation of wget, nor that they all work the same.
| @@ -23,6 +22,7 @@ pub fn file_contents(path: &Path) -> String { | |||
| result | |||
| } | |||
|
|
|||
| #[allow(dead_code)] | |||
There was a problem hiding this comment.
This seems like an unusual allow() to have here, under what circumstances is it needed?
There was a problem hiding this comment.
cargo test warns I don't use this function in my test files.
There was a problem hiding this comment.
If you don't use it, should we remove it rather than leave it there? Or is there perhaps one more test which could be added to make it not-dead code?
There was a problem hiding this comment.
This support file is used by both my tests and the existing tests that test partial downloads. I could split it, but it would duplicate the rest of the code.
|
I've pushed the requested fixes. Should I keep them as a separate commit, or should I squash them? |
orthoxerox
force-pushed
the
mitm-proxy
branch
from
3baded2 to
4012a2f
Compare
Added RUSTUP_USE_UNSAFE_SSL environment variable.
orthoxerox
force-pushed
the
mitm-proxy
branch
from
4012a2f to
946632f
Compare
|
All squashed and ready. |
|
☔ The latest upstream changes (presumably #1643) made this pull request unmergeable. Please resolve the merge conflicts. |
|
I would personally consider this a pretty delicate change for the obvious security implications. Cargo for example currently does not provide this functionality. I am not certain we want to merge this and it may wish for more discussion than just a PR |
|
Yeah, I'm pretty uncomfortable about this. I would want somebody knowledgeable about the security implications to weigh in on the pros and cons |
|
@alexcrichton Both cargo and maven allow the user to specify a custom certificate bundle and are still a major pain to use on my employer's network. It's not their fault, of course, but I think cargo would be better served by supporting custom repositories and obtaining Artifactory/Nexus support, as that's the best way to get maven to work, for example. Coming back to rustup, your corporate PC is already fully controlled by your employer. If you cannot trust them not to tinker with your downloads, you shouldn't work for them at all, as they can tinker with them any time they want. |
|
@orthoxerox yeah I think it's a missing feature that you can't switch the certificates in rustup, but rustup should remain consistent with Cargo in whether it allows ignoring SSL cert verification entirely. |
|
cc @rust-lang/cargo and @rust-lang/dev-tools: if anyone has any expertise and/or a strong opinion on this change (and its relation to cargo) please let us know if you're for or against this change. |
|
I'm really uncomfortable with the idea of passing |
|
I'm a bit confused on the fundamental issue. If the proxy is requiring a custom cert, does rustup not provide a way to use the system's local cert db? I was under the impression that curl uses the platform's native cert store for every platform. |
|
Hi, I'm new to rust but have a history as a security reviewer including codiscovering RCE in OpenSSL. I do not think this patch is a good idea. Instead of trusting a corporate proxy it throws the barn door wide open: any possible MITM can start futzing with stuff. I would prefer to figure out why curl is not using the system trust store (a journey that is likely to be quite wonderful and hairy) and ensure it does. |
|
(for context, given that this is blocked on security issues, I invited Rusty folks from a security community I participate in to add their two cents) |
|
@wbl Thank you for your joining the conversation, and thanks @Manishearth for inviting you. I agree that it's definitely better to find a way to not need this. We recently switched from curl by default to reqwest by default. I wonder if there's a good way to improve matters via that perhaps? |
|
Hi, coming here after the weekly meeting. I have two points to raise here. Firstly, made already, disabling SSL verification is a significant risk even in a corp environment, lets not do that to our users. Permitting adding an additional root is much more modest. Secondly, re @wbl's 'why isn't the default trust store used' - long historical reasons, heck, even today the rust openssl crate, which depends on Vcpkg installed OpenSSL (vcpkg being MS maintained) still uses its own trust store by default, and AIUI every application still needs to do its own glue code like so - https://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-system-certificate-store - to integrate in. Its possible that rustup 'just' needs such glue to get us to using the system store here, in which case great. But, I would argue that permitting customisation of certificate stores is common across many many HTTP using tools - curl, wget, kubectl, the openstack clients etc etc etc. It permits running isolated environments side by side with no crosstalk concerns simply by providing different security contexts, and insisting that the system security store be the only store isn't a very strong argument IMO. |
|
I have strat Tor ( service tor start ) of course after installing the Tor. |
|
I'll close this PR since this is not the preferred solution. If I or anyone else comes up with a better fix, it should be a separate PR. |
Of course, importing the actual root certificate would be better, but since this option will be used for corporate proxies like in #1542 and some proxies MITM only some URLs and curl can only replace root certificate bundles, I think it should be sufficient.