search

usebruno / bruno

Opensource IDE For Exploring and Testing Api's (lightweight alternative to postman/insomnia)
https://www.usebruno.com/
MIT License
28.06k stars 1.3k forks source link

Scripting runtime doesn't respect TLS/SSL settings #2259

Open logandavies181 opened 7 months ago

logandavies181 commented 7 months ago

I have checked the following:

Describe the bug

The options for SSL/TLS verification, as well as the configurable Custom CA Certificate are ignored when running scripts - pre, post and test.

Notably they do use NODE_EXTRA_CA_CERTS via Electron v30.0.0+ #2257

Reproduction steps

Create an HTTPS server in golang:

# create the custom cert
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/CN=foo.example.com"

# add an entry to /etc/hosts so we don't get hostname mismatch even though we
# trust the certificate
echo '127.0.0.1  foo.example.com' | sudo tee --append /etc/hosts

# create a quick https server which presents our brand new cert
go mod init test
cat <<EOF > main.go
package main
import (
    "fmt"
    "net/http"
)
func main() {
    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        fmt.Println("got request")
        fmt.Fprintln(w, "hello world")
    })
    http.ListenAndServeTLS(":8080", "cert.pem", "key.pem", nil)
}
EOF

go run .

Then run the .bru file below

.bru file to reproduce the bug

meta {
  name: foo with axios
  type: http
  seq: 3
}

get {
  url: https://foo.example.com:8080
  body: none
  auth: none

}

script:pre-request {
  const axios = require("axios");
  const resp = await axios({url:"https://foo.example.com:8080"});
  const data = await resp.data;
  console.log(data);
}

Screenshots/Live demo link

Using the above setup:

image

image

image

tgourley commented 2 weeks ago

I'm running into something similar to this. I am running an .NET ASP.NET API (.NET 8) that is utilizing the basic .NET local dev cert. I have the option off for certificate validation and a regular request to the https url will work normally. But if I hit that same URL using axios in a pre-request script, I get the following error: unable to verify the first certificate.

I've been trying to use npm to include the https library to be able to modify the axios call to turn off the rejectUnauthorized on the https setup, but that returns the error Error invoking remote method 'send-http-request': Error: Error: Cannot find module https https://stackoverflow.com/questions/51363855/how-to-configure-axios-to-use-ssl-certificate