pub get on the samples (sunflower, pop_pop_win, etc) fail with peer certificate error #983
Comments
|
<img src="https://avatars.githubusercontent.com/u/3276024?v=3" align="left" width="48" height="48"hspace="10"> Comment by anders-sandholm |
|
<img src="https://avatars.githubusercontent.com/u/188?v=3" align="left" width="48" height="48"hspace="10"> Comment by nex3 All the HTTPS certificate stuff is handled by dart:io. Removed Area-Pub label. |
|
<img src="https://avatars.githubusercontent.com/u/22043?v=3" align="left" width="48" height="48"hspace="10"> Comment by skabet Hi, Dart comes with a built-in CA database, so what happens here is that the certificate of the host is not accepted by that database. To me it sounds like the request is rewritten and another certificate is used, than the one expected (that is, the certificate used it not the one for 'pub.dartlang.org'). Can you try to run the following: pub --trace --verbosity all get That might help us see if there is anything wrong with the local setup. Cheers,
|
|
This comment was originally written by [email protected] C:\dev\tools\dart\dart64\samples\sunflower>pub --trace --verbosity all get | e:\b\build\slave\dart-editor-win-dev\build\dart\sdk\lib_internal\pub\lib\src\solver\backtracking_solver.dart 559 Traverser._traverse | e:\b\build\slave\dart-editor-win-dev\build\dart\sdk\lib_internal\pub\lib\src\log.dart 230 progress ---- Log transcript ---- | e:\b\build\slave\dart-editor-win-dev\build\dart\sdk\lib_internal\pub\lib\src\solver\backtracking_solver.dart 559 Traverser._traverse | e:\b\build\slave\dart-editor-win-dev\build\dart\sdk\lib_internal\pub\lib\src\log.dart 230 progress ---- End log transcript ---- C:\dev\tools\dart\dart64\samples\sunflower> |
DartBot
added
type-enhancement
|
<img src="https://avatars.githubusercontent.com/u/1343914?v=3" align="left" width="48" height="48"hspace="10"> Comment by sgjesse Hi, So it seems that the certificate from pub.dartlang.org is somehow not recognized. Can you run the following Dart code to get more information on the certificate the Dart client is seeing: import 'dart:io'; printCertificate(cert) { main() { Thanks, |
|
This comment was originally written by [email protected] Ok, got this back. The zzz and xyz are instead of the actual name returned. Observatory listening on http://127.0.0.1:51829 Response certificate: |
|
<img src="https://avatars.githubusercontent.com/u/1343914?v=3" align="left" width="48" height="48"hspace="10"> Comment by sgjesse When I run this program locally I get: Response certificate: Which have a Google root certificate. This looks like there is a corporate proxy between your machine and pub.dartlang.org which is terminating the HTTPS connection. This proxy is using a root certificate which is not trusted by Dart. The dart executable has a built-in set of root certificates. which of cause does not include this root certificate. There are a number of ways this can be fixed:
Removed Type-Defect, Library-IO, Area-Library labels. |
|
<img src="https://avatars.githubusercontent.com/u/1343914?v=3" align="left" width="48" height="48"hspace="10"> Comment by sgjesse Issue dart-lang/sdk#17664 has been merged into this issue. |
1 similar comment
|
<img src="https://avatars.githubusercontent.com/u/1343914?v=3" align="left" width="48" height="48"hspace="10"> Comment by sgjesse Issue dart-lang/sdk#17664 has been merged into this issue. |
|
<img src="https://avatars.githubusercontent.com/u/188?v=3" align="left" width="48" height="48"hspace="10"> Comment by nex3 I think it's the OS's responsibility to manage trusted root certificates, rather than each application's. On Windows, it looks like this page has instructions for doing so: http://technet.microsoft.com/en-us/library/cc754841.aspx. Added NotPlanned label. |
|
This comment was originally written by [email protected] How would we get the cert to add it to our cert storage? |
|
<img src="https://avatars.githubusercontent.com/u/188?v=3" align="left" width="48" height="48"hspace="10"> Comment by nex3 There are a couple ways listed here: http://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file |
|
<img src="https://avatars.githubusercontent.com/u/713559?v=3" align="left" width="48" height="48"hspace="10"> Comment by Emasoft 1 - Dart should always use HTTPS for pub get. Security issues would be HUGE if it doesn't. 2 - Dart should give a much more informative error message than the one reported above. The error message should explain clearly what does't work and what is the correct way to do it with Dart. 3 - The user must not be forced to manually set the server certificates using the OS. An admin should be able to write scripts in Dart that do it automatically if he needs to setup of a new server. Dart should be able to manage trusted root certificates on every platform it runs, provided it has be granted the necessary privileges. The Dart subsystem should abstracting the different OSs procedures for doing it, and provide classes dedicated to download, verify, install and manage certificates. This should be true for almost all server side scripting tasks involving the OS, at least those tasks needed to be able to write a Dart script that automate the full setup of a new HTTPS server remotely, a common task that before was accomplished using a mix of various tools and scripts. |
|
<img src="https://avatars.githubusercontent.com/u/188?v=3" align="left" width="48" height="48"hspace="10"> Comment by nex3
The default is to use HTTPS, but we won't force users to use it for their own custom servers. For intranet or localhost servers, HTTPS doesn't make sense.
Feel free to file an issue against dart:io for this.
I don't think it's the responsibility of the core SDK, much less the package manager, to support a powerful configuration system. If this is something you'd find valuable, though, feel free to write this yourself. |
|
<img src="https://avatars.githubusercontent.com/u/1343914?v=3" align="left" width="48" height="48"hspace="10"> Comment by sgjesse The Dart executable cannot use the certificates which is set up through the OS tools/UI. The Dart executable uses Mozilla NSS to implement SSL/TLS. NSS access certificates and keys from a database which can be build using the certutil tool (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil). The API SecureSocket.initialize is used to initialize NSS with a database. If NSS is not initialized with a database a builtin set of trusted roots will be used. For pub to work with root certificates not in this builtin set of trusted roots an option is needed for the database to use for the call to SecureSocket.initialize. |
|
<img src="https://avatars.githubusercontent.com/u/1343914?v=3" align="left" width="48" height="48"hspace="10"> Comment by sgjesse Issue dart-lang/sdk#20270 has been merged into this issue. |
|
<img src="https://avatars.githubusercontent.com/u/188?v=3" align="left" width="48" height="48"hspace="10"> Comment by nex3
Why not?
If this is a global property of dart:io, shouldn't the "dart" executable expose a way to configure it globally? Why is it the job of each individual executable to expose its own means of configuration? |
|
<img src="https://avatars.githubusercontent.com/u/1343914?v=3" align="left" width="48" height="48"hspace="10"> Comment by sgjesse
We are using the Mozilla NSS library which only supports certificates stored in their own database format.
Right now this is initialized like this SecureSocket.initialize(database: 'path/to/database', password: 'password'); We could make this configurable through an environment variable, and for a database with trusted root certificates an empty password should do. However this still require that the user builds a NSS database with the 'certutil' tool from Mozilla which is complicated (see http://stackoverflow.com/questions/25388750/dart-https-request-with-ssl-certificate-please for an example). Another option is to use the badCertificateCallback property of dart:io HttpClient (https://api.dartlang.org/apidocs/channels/stable/dartdoc-viewer/dart-io.HttpClient#id_badCertificateCallback=). There can either be an option to pub to ignore bad certificates or a prompt displaying the actual certificate and asking. Of cause this will somehow cause dart:io features to "leak" into the http package. I don't like an environment variable to ignore all bad certificates in dart:io HttpClient. |
|
<img src="https://avatars.githubusercontent.com/u/188?v=3" align="left" width="48" height="48"hspace="10"> Comment by nex3
Why are we using this library if it imposes such a heavy usability cost for both users and developers?
This would be better than the current situation, since at least it would mean that Dart executables wouldn't have to independently implement different ways of setting the certificate store.
This is unfortunate, but currently there's no way around it unless we want to ignore bad certificates (which we don't). |
|
Why was this closed? Are we just giving up on the whole idea of using the environment variable or something? I take a short break from Dart and come back to evaluate it for a project at my company (a big one) and this issue pretty much writes off Dart before I can get anyone to take a second look. My company has an HTTPS inspection point downstream. This is not a software firewall and it's not something we can add exceptions to the checkpoint for (we have tried). It requires a root certificate installed on every machine. Because of the strict mode here (with no option to disable it), I have had the same issues with |
|
@nex3 @whesse does the switch to BoringSSL make this issue easier to address for @alexpaluzzi ? |
|
@sethladd you are fast, I was in the middle of following up with an e-mail to you just now. |
|
My understanding is that BoringSSL has a non-global configuration mechanism, so hopefully it should address this. |
|
BoringSSL does let you add a certificate to the set of trusted certificates, and it would be possible to add a pub option or environment variable support that would add a certificate to the trusted set when running pub. That sounds like a great idea to me, that should be done soon. To make this happen automatically instead would require making Dart us the OS's set of trusted certificates. Switching the global default set of certificates to be the set provided by the OS is a very large task, and the best first step would be an external tool (written in Dart, or in something else) to take the OS's set of trusted certificates (or just the added ones) and produce a single PEM file for a Dart program to import to its SecurityContext and trust. |
|
Thanks @whesse. Adding a certificate is good, but an option to disable the strict-ssl on The same way I do now for This is all we are looking for. Everything but In any case, I appreciate everyone's time and effort here. I promise there are many people in my case who will hit the same wall I'm at when they come to check out Dart. |
|
From what I can see, Looks like @sethladd suggested someone opened an issue on this a little over two years ago: http://stackoverflow.com/questions/16524659/bypass-certificate-error-using-http. I'm not sure one was ever made on it. If |
|
Marking this as blocked until BoringSSL APIs are available. |
nex3
added
status-blocked
|
Is there still no way to add a cert or disable strict ssl? |
whesse
removed
the
status-blocked
|
Either of these could be implemented now. The BoringSSL APIs, which let you add a certificate to a security context, are available. We should decide which to do. Either one would be a change in Pub. |
|
|
|
I'm brand new to dart, and in the same boat as alexpaluzzi (trialing dart in a corporate environment, and lucking out with pub get & https access due to network/security restrictions). I've been comparing coding and workflows between python & dart in my corp environment, and after some effort, I could finally get to work with python but not dart. For package installation, dart needs a facility like: For https access, dart needs the ability to turn of verify, like ..which allowed me to proceed (with python). I would be interested to hear about @zanderso solution for setTrustedCertificates with say the http package. Probably this situation is well known, and if so, I apologise. I'm just adding a small voice to this, since I've seen similar posts here about the same issue. For better corporate adoption, it's ideal that things like this get some attention, or please post a solution tutorial at dartlang site. Thanks alot. |
|
Same issue here, I am really surprised that this has not been dealt with after so long. If anyone has a solution, please post. |
|
As a work-around, you should be able to edit the script that invokes the command line Dart VM on the pub snapshot to pass one of --root_certs_file or --root_certs_cache. This overrides SecurityContext.defaultContext. This script lives in dart-sdk/bin/pub. |
|
@zanderso thanks for the tip off, i was able to figure out the solution and it is working in windows finally. Ref: changelog For windows, I had the proxy self signed cert file saved as a BASE-64 encoded X.509 (.cer) file. I did not need to edit the pub script itself since after reading it, I realized it was expecting the options to come as an Env var named "DART_VM_OPTIONS", hence the changes above. |
|
For me the error was caused by my antivirus, i had to disable it to make Dart works. |
|
Should be able to do |
Originally opened as dart-lang/sdk#18929
This issue was originally filed by [email protected]
What steps will reproduce the problem?
What is the expected output? What do you see instead?
I expect pub to get the required files
What version of the product are you using? On what operating system?
Dart sdk 1.3.6
Please provide any additional information below.
The text was updated successfully, but these errors were encountered: