search

denoland / deno

A modern runtime for JavaScript and TypeScript.
https://deno.com
MIT License
97.84k stars 5.39k forks source link

Handshake Failure Behind Proxy, Even With --cert #6465

Closed zicklag closed 3 years ago

zicklag commented 4 years ago

I'm behind an HTTP proxy with authentication and a custom certificate, but I'm getting an undescribed HandshakeFailure when trying to run hello world:

$ deno run --cert=/usr/local/share/ca-certificates/proxy-ca.crt  -L debug https://deno.land/std/examples/welcome.ts
Deno isolate init with snapshots.
rust:shared_queue:reset
DEBUG JS - cwd /home/vagrant/git/katharostech-gitea/katharostech-com
DEBUG JS - args []
main_module https://deno.land/std/examples/welcome.ts
fetch_source_file specifier: https://deno.land/std/examples/welcome.ts maybe_referrer: None
⚠️️  Granted network access to "https://deno.land/std/examples/welcome.ts"
Download https://deno.land/std/examples/welcome.ts
starting new connection: https://deno.land/
proxy(http://[redacted]:3128) intercepts 'https://deno.land/'
connecting to [redacted]:3128
connected to [redacted]:3128
tunnel to deno.land:443 using basic auth
No cached session for DNSNameRef("deno.land")
Not resuming any session
ERROR RS - rustls::session:514 - TLS alert received: Message {
    typ: Alert,
    version: TLSv1_2,
    payload: Alert(
        AlertMessagePayload {
            level: Fatal,
            description: HandshakeFailure,
        },
    ),
}
error: error sending request for url (https://deno.land/std/examples/welcome.ts): error trying to connect: received fatal alert: HandshakeFailure

I have my HTTP_PROXY and HTTPS_PROXY environment variables set like so:

http_proxy=http://user:password@[redacted]:3128
export https_proxy=$http_proxy
export HTTP_PROXY=$http_proxy
export HTTPS_PROXY=$http_proxy
export ftp_proxy=$http_proxy
export FTP_PROXY=$http_proxy

Is there any way to get more info on what is actually failing? This happens with any deno command that tries to access the internet.

golan-guy commented 4 years ago

I get this error too.

piscisaureus commented 4 years ago

Did you ever figure it out?

zicklag commented 4 years ago

I'll try it again soon, I think that may have been fixed, but I ran into another issue: https://github.com/denoland/deno/issues/6502. That issue appears to be caused by https://github.com/seanmonstar/reqwest/issues/992 which sounds like an easy fix.

zicklag commented 4 years ago

I'm still getting the same error with the same steps to reproduce. I'm not sure if it is related to https://github.com/seanmonstar/reqwest/issues/992 yet.

zicklag commented 3 years ago

I am unsure why explicitly setting the DENO_CERT fails, but I have verified that by switching the features of reqwest to use the default-tls instead of rustls-tls everything works fine. I'm very glad that I have a way to build it now, I've wanted to try Deno for months!

Anyway, I guess that still leaves this issue at the point where we need to fix the RusTLS backend to use the cert when provided, but building with the different parameters fixes it for me for now.

bartlomieju commented 3 years ago

In 1.13 we added DENO_TLS_CA_STORE env variable as well as --unsafely-ignore-certificate-errors which should resolve this issue (https://deno.com/blog/v1.13). I'm going to tentatively close it as fixed, please let me know if that still doesn't work.

zicklag commented 3 years ago

I found out that my TLS issues seemed to be related to my proxy server not supporting the higher security ciphers required by rustls, and that it isn't specific to Deno, so this should be totally fine on Deno's end.

Switching the reqwest TLS backend does work, for anybody else who runs into my situation.