Unable to download behind corporate (SSL MITM) proxy.

[kvakhil95]

I get the following error when I run the command rustup-init -y: could not download file from 'https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256' to '/root/.rustup/tmp/7wzxxkvb0v94ftm8_file' info: caused by: error during download info: caused by: [35] SSL connect error

This is because I'm behind a corporate proxy. So I tried changing the file rustup-init.sh to add the -k flag to turn off curl's certificate verification. However, this doesn't seem to affect the file as it is throwing the above error.

The rustup-init file has the 20th line as: '#XXX: If you change anything here, please make the same changes in setup_mode.rs'

I find no such file in my system. Where do I get this file? Is there any other alternative to help me download without curl's certificate verification?

[pffang]

same problem

[hai-ld]

same here

[anton-pt]

I'm having the same problem on a Windows machine. Any known fix?

[orthoxerox]

Something like https://docs.rs/curl/0.4.19/curl/easy/struct.Easy.html#method.ssl_verify_host / https://docs.rs/reqwest/0.9.8/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs should be added to the curl/reqwest builder to allow rustup to work with mitm corporate proxies. It's an easy fix, except you need rust to build new rustup-init...

[rohitjoshi]

Any update on this?

[kinnison]

We continue to discuss this in #1624

[GrumpyMetalGuy]

Given that #1624 just got closed down, is this the right place to discuss?

I've been trying for a year now to get traction on Rust at work, and this stops it every single time. This is an active blocker that corporate security will not work around, so we need something if we want to get Rust used in larger multinationals. (that and Artifactory support, although that's another story/ticket)...

[kinnison]

Once I have a way to let rustup verify the GPG signatures on channels, it becomes more viable to allow it to ignore certificate issues. Currently the certificates are the only guarantee we have that data has not been tampered with in-flight. I promise that we're trying to get this resolved, but we refuse to do it in a way which opens the door to the risk of someone using rustup as a way to deliver malware through corporate proxies.

[GrumpyMetalGuy]

Understood, and thanks for the update. I definitely don't want hackery used, as if malware gets into our network, it would look terrible for all involved!

I know you can't give estimates, etc, but as one of many behind the Great Corporate Firewall™, I really hope this gets some prioritisation/traction! I want Rust to take off across all environments, mine in particular ;) Especially with all the news from MS, FB, etc, starting to sing its praises more, it seems like a real shame to not actually be able to demo code using it...

[RalfJung]

Unable to download behind corporate proxy

So "corporate" is a synonym for "MITM that breaks security"? Wow, and I thought I was cynical. ;)

On a more serious note, the title could need some clarification that this is about proxies that do actively work against security best practices.

[swigger]

Unable to download behind corporate proxy

So "corporate" is a synonym for "MITM that breaks security"? Wow, and I thought I was cynical. ;)

On a more serious note, the title could need some clarification that this is about proxies that do actively work against security best practices.

NO, it means speed. For my MITM proxy, It's 50 times faster .

[RalfJung]

NO, it means speed. For my MITM proxy, It's 50 times faster .

Sure, fast -- but insecure. Such proxies are time and time again found to reduce security on the web and prevent deployment of new protocols like TLS 1.3. We would literally have had TLS 1.3 at least a year earlier if it wasn't for such proxies.

[GrumpyMetalGuy]

Hi, coming up to a year since the last comment. @kinnison , is there any news on this?

[rbtcollins]

Rather than turning off certificate verification, you should be able to add your MITM proxies root certificate to your local trust store; then traffic through it, and only traffic through it, will validate, other devices trying to attack your traffic will fail to validate.

That should not require any changes to rustup at all; please verify if this does / doesn't work, and we'll proceed from there.