search

gm-vm / openfortivpn-webview

MIT License
87 stars 19 forks source link

Request: Ability to specify custom certificate authority #13

Closed isotherm closed 1 year ago

isotherm commented 1 year ago

I get the below error because I do not have the Fortinet CA root certificate installed system-wide.

[554294:0302/124014.997972:ERROR:cert_verify_proc_builtin.cc(670)] CertVerifyProcBuiltin for X.X.X.X failed:
----- Certificate i=2 (emailAddress=support@fortinet.com,CN=fortinet-ca2,OU=Certificate Authority,O=Fortinet,L=Sunnyvale,ST=California,C=US) -----
ERROR: No matching issuer found

Although installing the certificate system-wide is supposed to work, I do not want to do that as that would potentially permit the VPN appliance to monitor my traffic via MitM (which is one of the features of Fortigate).

I know nothing about Electron. The ideal thing would be if I could add a trusted certificate just for the embedded instance of Chromium, or if this app could catch the certificate error and do something reasonable. Maybe this could help: https://www.electronjs.org/docs/latest/api/app/#event-certificate-error

Or is there any other way to work around this in the mean time?

gm-vm commented 1 year ago

If you pass --ignore-certificate-errors Electron will just dump SSL errors in the console and continue loading the page. Definitely not a solution, but it can come in handy.

Node.js apparently has a special env variable to add custom certs (NODE_EXTRA_CA_CERTS), but Electron does not respect it. This is the issue with a workaround to make that work: https://github.com/electron/electron/issues/10257.

I re-adapted the code in the issue linked and pushed a branch: https://github.com/gm-vm/openfortivpn-webview/tree/extra_ca_certs. I could not test it yet, I applied the change blindly.

If you want, you can try to build the app yourself following these instructions.

Once you have done that you can quickly test it with (do note the extra --):

npm start myvpnhost -- --extra-ca-certs "/some/path"
gm-vm commented 1 year ago

I did a quick test using https://untrusted-root.badssl.com/ and couldn't make it work with the workaround, so I switched to the certificate-error event to handle things manually.

This let me load the page without issues (badssl-com.pem is the untrusted CA).

npm start -- --url 'https://untrusted-root.badssl.com/' --extra-ca-certs badssl-com.pem
gm-vm commented 1 year ago

I wanted to use the workaround because my assumption was that it would simply extend the set of certificates. This simply checks that the certificate belongs to the list of certificates provided with --extra-ca-certs.

Maybe I should also check that error is equal to net::ERR_CERT_AUTHORITY_INVALID.

isotherm commented 1 year ago

I verified that this works against a real server, using the full certificate chain. Thank you for looking into this and getting it resolved so promptly!