Closed vrosu closed 8 months ago
+1
this missing feature makes it unusable in any serious enterprise environment. We have Zscaler proxy which forces to add its root certificate as a trusted CA to each application if the system settings are ignored - sort of official man in the middle attack.
Yep, definitely agree. Tools like this should accommodate today's enterprise IT environment (eg: reset the assumptions to reality).
The TLS certificate used by IoT Hub is managed by Microsoft, and should be trusted in any updated OS.
I'm wondering if you are accessing the IoT Hub endpoint through a web proxy with TLS termination. In that case, I would expect your IT admin is adding those certs to your trust store.
From your description seems like the issue is that IoT Explorer is not able to validate the TLS connection when the certificate is issued by your enterprise CA.
To verify this issue, can you run openssl s_client -connect yourhub.azure-devices.net:443
from inside and outside the corporate network and paste the results here?
just curious to know if you are using the device-sdks, to understand if you have similar issues from the device side.
Yes, Zscaler terminates any TLS connection forcing us to set up every single app to trust the Zcaler Root CA. Some apps take the system key store, some do not. VSCode add-ins often depend on underlying correct setup of Python or npm. Here my tests: From a company PC it does not work:
`"openssl s_client -connect <my hubname here>.azure-devices.net:443
CONNECTED(000001AC)
---
Certificate chain
0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = *.azure-devices.net
i:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscloud.net) (t) "
1 s:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscloud.net) (t) "
i:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscloud.net), emailAddress = support@zscaler.com
2 s:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscloud.net), emailAddress = support@zscaler.com
i:C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = support@zscaler.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGVDCCBTygAwIBAgIQb/f5u7Ju4vx8hK7cya5BhzANBgkqhkiG9w0BAQsFADCB
ijELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFpz
Y2FsZXIgSW5jLjEVMBMGA1UECwwMWnNjYWxlciBJbmMuMTgwNgYDVQQDDC9ac2Nh
bGVyIEludGVybWVkaWF0ZSBSb290IENBICh6c2Nsb3VkLm5ldCkgKHQpIDAeFw0y
MzA0MjIwMjAyMDlaFw0yMzA1MDYwMjAyMDlaMHIxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
b3NvZnQgQ29ycG9yYXRpb24xHDAaBgNVBAMMEyouYXp1cmUtZGV2aWNlcy5uZXQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8ME1mVDZL4Na18tSH3niR
HaGZuOAMMTdctI/cFtu+fXeAQGDM2c1JxEVtkpWLFkPuhr0ynX+EUWcHrlwF2IIt
gToLhjEs8OXD8ksrTBV9UTY6AgT27vHBuZO3FSTX2dl7tP5WZv7M7Gdpbv7jDzmC
Hr5/CLSTvWra2bAHwPqiTAROLINt2vi0K3uJzNWYfRY7hkn/sdj4vG/O16zgV3Hi
sOrOLXP1js2ytiOPwDNPzGfNqTBTeGuKuUJrCTe0FiDiOpTEOwL5BYYdC7WHGr76
LT9YHcjoWkLyIaRn6hRddsL63y8t863pxslKx5HMsQ/It8NnYqcI1gI+nPBb20/h
AgMBAAGjggLLMIICxzCBxQYDVR0RBIG9MIG6ghMqLmF6dXJlLWRldmljZXMubmV0
ghoqLmFtcXB3cy5henVyZS1kZXZpY2VzLm5ldIIhKi5zdS5tYW5hZ2VtZW50LWF6
dXJlLWRldmljZXMubmV0ghgqLm1xdHQuYXp1cmUtZGV2aWNlcy5uZXSCJCoucHJp
dmF0ZWxpbmsubXF0dC5henVyZS1kZXZpY2VzLm5ldIIkKi5wcml2YXRlbGluay5h
bXFwLmF6dXJlLWRldmljZXMubmV0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwCQYDVR0TBAIwADCCAX0GCisGAQQB1nkCBAIE
ggFtBIIBaQFnAHYA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4AAAGG
ccpoIgAABAMARzBFAiBM6eb0JN8lwY9oSpTxZzxGUfqwCOIMKOu99T7tH5TgtgIh
AKG6AzDfTEljcNK6Cq8dDPYQ/QP4RpUOusHvHnfl+gYVAHUAs3N3B+GEUPhjhtYF
qdwRCUp5LbFnDAuH3PADDnk2pZoAAAGGccpoZAAABAMARjBEAiAwA/ETY2W73vvc
fHTWKaX3Sj3ZzXRP9SfRXwn+LiTZWgIgcnVz+foRUl+iZP9Kym4H0OyprLlElGpr
mthmiREcyxIAdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAYZx
ymh2AAAEAwBHMEUCIFQkgJfCVCHMcPXb0lDC9a7J3eyReuzP38qqkorc+xcCAiEA
xLuoZ9Qej8LikD9zxe1eEKPcLbmV0rAqQtGKJ+SBSrkwQgYDVR0fBDswOTA3oDWg
M4YxaHR0cDovL2dhdGV3YXkuenNjbG91ZC5uZXQvenNjYWxlci16c2NybC0tNC0x
LmNybDANBgkqhkiG9w0BAQsFAAOCAQEASRK4QHdb0+FKfqdlsOFHJ46phGExu1gc
iFojcz9hr0Zs/CiEHu1JUpYlBWAJ6mjwUesWGwGgt8+tg6E4nnQ/R2gb/elD+TzG
7iXF/mwxSdWol1dafZUS59Camc/l+XQGCpAgpv9NJFEB9k3ZTa2BFaezQmpk0Gq5
21S38TIZEpjg0ZJqEoI3YR4GDEqTRPvNuvIiV5DyYVWNJg0qZB+fQZ+oRAwYf84/
eQZyKcxKxNVeQ/+Ju582gPghRb0++PEdZz5X9/cuyjJojUII1oeFxqefpJpzLDhl
6RTlCl9pjV2SbaAPjvFyTbilFKFBW2iQYPW3yfZLbEBqtXI1f98mwA==
-----END CERTIFICATE-----
subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = *.azure-devices.net
issuer=C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscloud.net) (t) "
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4494 bytes and written 773 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
From a non-company PC this is the result:
openssl s_client -connect <my hubname here>.azure-devices.net:443
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = Microsoft Corporation, CN = MSFT BALT RS256 CA
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = *.azure-devices.net
verify return:1
---
Certificate chain
0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = *.azure-devices.net
i:C = US, O = Microsoft Corporation, CN = MSFT BALT RS256 CA
1 s:C = US, O = Microsoft Corporation, CN = MSFT BALT RS256 CA
i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIINTCCBh2gAwIBAgIQAmVEfrJu4vx8hK7cya5BhzANBgkqhkiG9w0BAQsFADBK
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMRsw
GQYDVQQDExJNU0ZUIEJBTFQgUlMyNTYgQ0EwHhcNMjMwMjIxMDAwMDAwWhcNMjMw
NzIxMjM1OTU5WjByMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ
MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
MRwwGgYDVQQDDBMqLmF6dXJlLWRldmljZXMubmV0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAxiw2isvAJRF2t/auWXc0jv5T2cLT30gAD9gjzq3LTyQU
jN1ofSldkRW+QOX7cNQ5o9EB8YsMbt/FLJH3wU0rZQH0kffHmt+joS7l29Qe/AsE
cR1B3I53JwsV5nCUIX7SiUbCDfCLtMeldfcEEqwV8Izvtnqv7wBKJ++YurmjY7wl
Onu61WmmqTHpX54CFoXlTobQt4HXEYH5TK6Ts8jfvlFndp9puOrJCGInNqClIGZI
FgeGYSR3FimwyyRbzkqF1HM29fk/MN+zwTr2S+TecJueeel/QjR+iuVS+eBm0TGG
sxbNsakcK/Rp5KflnEFdIn5oNQJ70NnX+mkoyJRoHQIDAQABo4ID7TCCA+kwHwYD
VR0jBBgwFoAURrvwLB8qZEsh6K7dytty1KohKFwwHQYDVR0OBBYEFOTUyT2TrJT9
qLJ0l/lsfEAeu24MMIHFBgNVHREEgb0wgbqCEyouYXp1cmUtZGV2aWNlcy5uZXSC
GiouYW1xcHdzLmF6dXJlLWRldmljZXMubmV0giEqLnN1Lm1hbmFnZW1lbnQtYXp1
cmUtZGV2aWNlcy5uZXSCGCoubXF0dC5henVyZS1kZXZpY2VzLm5ldIIkKi5wcml2
YXRlbGluay5tcXR0LmF6dXJlLWRldmljZXMubmV0giQqLnByaXZhdGVsaW5rLmFt
cXAuYXp1cmUtZGV2aWNlcy5uZXQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjBxBgNVHR8EajBoMDKgMKAuhixodHRwOi8vY3Js
My5kaWdpY2VydC5jb20vTVNGVEJBTFRSUzI1NkNBLmNybDAyoDCgLoYsaHR0cDov
L2NybDQuZGlnaWNlcnQuY29tL01TRlRCQUxUUlMyNTZDQS5jcmwwPgYDVR0gBDcw
NTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5j
b20vQ1BTMHEGCCsGAQUFBwEBBGUwYzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au
ZGlnaWNlcnQuY29tMDsGCCsGAQUFBzAChi9odHRwOi8vY2FjZXJ0cy5kaWdpY2Vy
dC5jb20vTVNGVEJBTFRSUzI1NkNBLmNydDAJBgNVHRMEAjAAMIIBfQYKKwYBBAHW
eQIEAgSCAW0EggFpAWcAdgDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9
bgAAAYZxymgiAAAEAwBHMEUCIEzp5vQk3yXBj2hKlPFnPEZR+rAI4gwo6731Pu0f
lOC2AiEAoboDMN9MSWNw0roKrx0M9hD9A/hGlQ66we8ed+X6BhUAdQCzc3cH4YRQ
+GOG1gWp3BEJSnktsWcMC4fc8AMOeTalmgAAAYZxymhkAAAEAwBGMEQCIDAD8RNj
Zbve+9x8dNYppfdKPdnNdE/1J9FfCf4uJNlaAiBydXP5+hFSX6Jk/0rKbgfQ7Kms
uUSUamua2GaJERzLEgB2AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKK
AAABhnHKaHYAAAQDAEcwRQIgVCSAl8JUIcxw9dvSUML1rsnd7JF67M/fyqqSitz7
FwICIQDEu6hn1B6PwuKQP3PF7V4Qo9wtuZXSsCpC0Yon5IFKuTANBgkqhkiG9w0B
AQsFAAOCAgEAYyYWlZdfvs7sWlgLTWJypQ0h4n1/ouBmo1hPSNySNvv6VWEn8was
4GjWXdrnPtiKSw4QtkD+maNBPNh8l1Dc8pOlNQgnGMbXQsFzMhWQC0cc08lO79P5
rxDFgfI+751ODCkMAIt1GqlLrIoogy8HthPkZLqZ1+WtQnAVdc54tLSk0KYSyy3v
BC7DBA/cofZtzj3gJbM83/xlSOkJOBV/0qeIrCBoyEKhybH4g1DYal2r1fi1RE3u
/jGElG+/FVXLi8MBwnp7kmwnes4t0+8qmLUJfLztuBPtskY4/SGBWgoDMQRktxyq
VclPiZv5L2N52pCrYQlihLRZ7nn/hwvHq7kPwnajCt7seWtEfSfLw3Og2B5GEy5t
KEP54Vlyh2760JQNFOTfXpT9i67gGLnN1XtQiEEQxhfQusZonSytlk5K2W8FJ+Xg
iYHwDpTArS7PNvB68hlYJyYgz1+la/03nTy2F1rlW75WfNgWj/+tdNYv1OguNaVK
+ByS2fA+y7548O82pCMwWFvIjF+3cTpGCZdFABL8inTTo0ozjGqhYU7QTuylktO6
27DQ4b1f9wFGDDUP6xw1qrSI94FkTWGCyQfTZIBcz0f84MqQu7Vuruc3zyH/JdDh
VomNz9oJ1ICLE9AXC1qAJh4VxDVLtKGDnKYaZdf5qNwDcz3kPhNALaY=
-----END CERTIFICATE-----
subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = *.azure-devices.net
issuer=C = US, O = Microsoft Corporation, CN = MSFT BALT RS256 CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4093 bytes and written 496 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-SHA256
Session-ID: EC460000AE8DB8FAC3FA8F7269893FA42418AD6DEC375AC89560BA4CBAD3A7E5
Session-ID-ctx:
Master-Key: 7686F2C7F81EAD69EA7F4F51A2167386473925A4EB7245ACEE80993ADEC5F1BF901787C82283A262B3886D372F69187E
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1682428824
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---"`
IoT Explorer has no configuration item to add an extra trusted root - even though ChatGPT claimed that today - haha.
one year later and no progress? you must be kidding. This bug makes it a toy, only usable from home with private PCs.
Explorer is a FREE dev tool meant for learning and testing. It is never meant for production environment. You may want to switch to Azure Portal or something else. Apologize if this is not what you need. I've added this statement to the front page of this tool to avoid future confusion.
I understand there is no way to achieve this, but the reasoning is valid only if this tool was built as a free tool for academic use, not for developers working on companies that actually build software. Whoever prioritized the capabilities should focus a bit more on the target audience
Describe the bug I'm trying to add a connection to an existing IoT Hub by adding it as an IoT Hub Connection String. When I click view devices, I automatically see "Failed to retrieve device list: request to https://[redacted]/devices%2Fquery?api-version=2020-09-30 failed, reason: unable to get local issuer certificate"
When examining the TLS certificate presented for that redacted URL, the CAs on top are specific to my organization, and I can't change them.
This error goes away as soon as I disconnect from my work network, and use my mobile hotspot as a connection.
To Reproduce Steps to reproduce the behavior: (reproducible only in my laptop)
Expected behavior I would expect to have a way to enable either "allow untrusted certificates" or be able to have instructions on how to add that root CA.
Screenshots
Desktop (please complete the following information):