Open yacinehmito opened 10 months ago
I managed to reproduce with rustls' example program:
./target/debug/tlsclient-mio --verbose --cafile ~/cloudflare.pem deno.land --http
I'll keep this issue open, unless asked otherwise, and will direct my investigations to rustls.
I think I found the issue: the signature algorithm of the Cloudflare certificate is ECDSA Signature with SHA-512 (1.2.840.10045.4.3.4). It is not supported by rustls.
The issue to track progress in rustls: https://github.com/rustls/rustls/issues/1367 The PR to track progress in ring: https://github.com/briansmith/ring/pull/1631
We'll keep an eye on this an update ring/rustls as needed. Thanks for researching it.
FYI rustls supports this since 0.23 (release Feb 29)
Disclaimer: It's a bit hard to know whether the root cause is in Deno's scope or Cloudflare's scope, so I am posting an issue both in here and with Cloudflare support.
Description
When using Cloudflare WARP as an HTTPS proxy, deno is unable to fetch any resources as it errors with
invalid peer certificate: BadSignature
regardless of how Cloudflare's certificate is provided.Context
Cloudflare WARP is a VPN client that can also act as an HTTPS proxy in an Enterprise setting (this is part of the Cloudflare Zero Trust suite of product). Effectively, Cloudflare acts as a man-in-the-middle for all HTTPS traffic when Cloudflare WARP is activated and configured to run as an HTTPS proxy. It therefore requires the endpoint to trust a certificate from Cloudflare, which can be downloaded here.
When using Deno, this certificate can be provided in one of three ways:
--cert
CLI parameter.DENO_CERT
to the path of the certificate.DENO_TLS_CA_STORE
tosystem
.Regardless of how the certificate is provided, this fails. It may either be because of a defect of Cloudflare's proxy, or a defect in Deno's handling of custom certificates.
Steps to reproduce
~/cloudflare.pem
.~/script.ts
.rm -r $(deno info --json | grep denoDir | cut -d: -f2 | sed 's/[" ,]//g')
.)deno run --cert ~/cloudflare.pem ~/script.ts
.This will fail with the following output:
Example script
System settings
Output of
deno --version
:OS: macOS Ventura 13.6.1
Cloudflare WARP version: 2023.9.252.0 (20230927.21)