Unable to install packages when using ZScaler

wbond / package_control

The Sublime Text package manager

https://packagecontrol.io

4.77k stars 816 forks source link

Unable to install packages when using ZScaler #1682

Closed WSF-SEO-AM closed 3 weeks ago

WSF-SEO-AM commented 1 month ago

On our end we are using Zscaler, and apparently some changes occurred and I can't install anymore packages. Although I have created a bundle file collating three different certificate public keys, I keep receiving the same error message and no packages installed.

Can you please provide some support?

deathaxe commented 1 month ago

If you set "debug": true in Package Control settings, what is printed to console, when trying to install packages. Are there any certificate validation related issues or something along those lines?

Package Control relies on

wininet library on Windows, which fully handles TLS connections on OS-level.
python 3.8's urllib on Linux/MacOS, which uses ST's openssl 1.1.1 library for TLS connections.

In each case https://github.com/wbond/package_control/issues/1674#issuecomment-2117864576 applies.

WSF-SEO-AM commented 1 month ago

Thanks. Is there any particular order on how certificate files should be appended? Is Sublime required to be restarted?

deathaxe commented 1 month ago

Order doesn't matter.

Modified Package Control.user-ca-bundle should get picked up each time PC detects it is newer than the auto generated merged CA bundle.

PC caches results and won't reach out to servers for meta data, once they are downloaded successfully. In that case restart may be required to force new downloads. But as long as those fail, updated CA bundles should be picked up.

But actually, you are better off adding additional CA bundles to your OS's cert store anyway. Otherwise other apps may also fail establishing trusted TLS connections with host name verification.

deathaxe commented 3 weeks ago

Package Control 4 actually uses openssl's default mechanisms to load default root certificate bundles via load_default_certs(() method on python 3.8 and additionally loads user CA bundle afterwards.

The mechanism has been tested locally on Windows and Linux as well via Github Actions for all platforms, successfully.

If a misconfiguration or external security appliance is blocking required operations to establish a trustworthy connection, there's nothing which can be done by a client like Package Control.

WSF-SEO-AM commented 3 weeks ago

Apparently upon supplying the ZScaler certificate in the bundle file, the issue was resolved. It didn't work at first, but I can only assuming I was using the wrong file at this stage. We can close the issue.