Use system certificates

kdzwinel / betwixt

:zap: Web Debugging Proxy based on Chrome DevTools Network panel.

MIT License

4.54k stars 125 forks source link

Use system certificates #52

Open jekor opened 6 years ago

jekor commented 6 years ago

Related to #3, but on the other end of the connection I receive the following error:

PROXY_TO_SERVER_REQUEST_ERROR: Error: unable to verify the first certificate

The server is using a certificate signed by an internal CA. This seems to be caused by Betwixt (node-http-mitm-proxy?) not using the system certificates (on OS X).

A workaround could be a way to pass trusted certificates to the app. I can't make sense of which environment variables (if any) the code in question will consult.

kdzwinel commented 6 years ago

👋It's a bit over my head ATM, I'd have to do some research. But please feel free to take a stab at it.

jekor commented 6 years ago

The good news is that Node seems to have addressed this with https://github.com/nodejs/node/commit/3aa17e4e513f0bf281ee754eb58a33b737be2867, although it is a compile-time option and there's no indication if it will work on all operating systems. The discussion happened on https://github.com/nodejs/node/issues/4175. The Node CLI documentation shows another (runtime?) option that appears to be related based on the version it was released in: https://nodejs.org/api/cli.html#cli_use_openssl_ca_use_bundled_ca.

I don't know to get Betwixt working with the latest electron (I encountered runtime errors and didn't go any further) nor how to pass one of those parameters.

kdzwinel commented 6 years ago

@jekor Gotcha, thanks for doing research, it's very useful. Not sure when I'll get time to look at this, but maybe someone will take a stab at in the meantime 🤞

AdamMajer commented 5 years ago

NodeJS doesn't have a constant list of certificates for a long time. It allows overrides both at command line and programmatically . node --help and manpage would help you.

--use-bundled-ca, --use-openssl-ca are command line switches

NODE_EXTRA_CA_CERTS file

         When set, the well-known “root” CAs (like VeriSign) will be extended with the
         extra certificates in file.  The file should consist of one or more trusted
         certificates in PEM format.

         If file is missing or misformatted, a message will be emitted once using
         process.emitWarning(), but any errors are otherwise ignored.

         This environment variable is ignored when `node` runs as setuid root or has
         Linux file capabilities set.

SSL_CERT_DIR dir

         If --use-openssl-ca is enabled, this overrides and sets OpenSSL's directory
         containing trusted certificates.

SSL_CERT_FILE file

         If --use-openssl-ca is enabled, this overrides and sets OpenSSL's file contain-
         ing trusted certificates.