Fails to install nuget packages when behind a corporate proxy with self signed cert.

[adragoset]

The extension will fail to download and intall a nuget package when behind a corporate proxy with a self signed cert. Error is displayed with reason:self signed cert in certificate chain. Desired functionality should respect "http.proxyStrictSSL": false until there is a better way to make vs code respect self signed certificates.

The problem here is that i do not have a proxy set. The corporate firewall is handling all of that transparently from configuration on my dev machine.

I think the issue is coming from https://github.com/jmrog/vscode-nuget-package-manager/blob/master/src/utils/getFetchOptions.ts line 29 as that agent needs to be configured to not use tls if http.proxyStrictSSL is false.

Heres the relevant api for https-proxy-agent opts:

secureProxy - Boolean - If true, then use TLS to connect to the proxy. Defaults to false.
secureEndpoint - Boolean - If true then a TLS connection to the endpoint will be established on top of the proxy socket. Defaults to true.

In my case secureEndpoint defaults to true even though proxyStrictSSL is set to false.

[jmrog]

@adragoset Thanks for the report. Sorry for the delay in fixing this, but there is a mismatch between the documentation for https-proxy-agent on npm and the documentation on GitHub (the latter actually removes the bit about secureEndpoint). That caused a bit of confusion, though it does look like the secureEndpoint option still exists in the code, so I've gone ahead and used it. However, I've had very little time to test this fix -- I tested it a little, but not much -- so I'm wondering if you'd be willing to install the distributed (pre-packaged) extension with the fix, try it out, and let me know whether it works as expected for you. I've added it to the "dist" folder here: https://github.com/jmrog/vscode-nuget-package-manager/tree/master/dist (make sure that you grab v1.1.4). If you need info on how to install the pre-packaged extension, you can find it here: https://code.visualstudio.com/docs/editor/extension-gallery#_install-from-a-vsix. On the other hand, if you can't/aren't willing to do this, please just let me know and I'll try to find some more time to test before releasing.

Thanks!

[adragoset]

I'll gladly take care of testing this on Monday when i have access to the environment it's occurring on.

[jmrog]

Awesome, thanks!

[adragoset]

I verified this works when a proxy is defined. If the env is using a transparent no proxy firewall though you still have to set the system env variable NODE_TLS_REJECT_UNAUTHORIZED=0. I was attempting to look into if there was a way to configure an agent without a proxy url but it does not appear to be so. It may be possible to set an option on node-fetch to ignore tls in the cases where a self signed cert is needed but the proxy server is hidden or none is specified.

My feeling is why do such robust corporate filtering if it means everyone just turns tls off. Seems the latter is much more insecure than any security you gain by stateful packet inspection on tls sessions across the network. Anyway i doubt ill be able to make our IT departments flying monkeys see the light so I've disabled node tls at the env level and that allows this plugin to work.

[jmrog]

@adragoset Thanks for testing this. I'm glad it worked when a proxy is defined, though I'm sorry to hear that you still have to go through additional steps in your particular environment.

I'm not quite ready to give up, though. The agent that this extension uses (from node-https-proxy-agent) passes along supplied options to Node's tls.connect method, which itself accepts a rejectUnauthorized option (see here: https://nodejs.org/api/tls.html#tls_tls_connect_options_callback). If that option is set to false, it looks like certificates will not be verified. Does that sound like it could for you? And if so, would you like me to distribute a version that uses that option appropriately so that you can try it out?

[jmrog]

I've released v1.1.4, which was confirmed to work well enough for the particular issue here. For that reason, I'm marking this issue as closed. However, I'm going to create a separate issue to track any research/dev related to the last two comments in this thread.