-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add flag to ignore SSL certificate issues #1371
Comments
Seems like it'd be better to allow adding new CA entries that requests would trust, no? Having this flag is probably fine in exceptional circumstances, but for any production system leaving this flag on all the time is a huge red flag. |
I wonder if this ought to share a prefix i.e. Related: #1064 |
@eventualbuddha yes, I'd like to have that option too. I mean, for some non-production cases, it might be better to completely disable any checks. And later, you might want to add new CA entries when preparing the code for production. @hayd I made more research on that because I need to make it work already. So, I discovered, that these checks are performed in rustls. And as far as I can tell, we'll be unable to disable certificate checks, or add custom CA's unless this lib is built with Back to @hayd questions, I might be wrong, but I think that ideally, deno should pick up system CAs instead of bundled CAs without any additional flags. AFAIK, it will be a more browser-like approach. Please, let me know what do you think about it? |
As an update to this, I have a working branch, and it works fine, but I'm not ready to open a PR yet. Anyway, it's my first time coding in rust, so I expect a lot of help from code review. Currently, the branch is here: https://github.com/Maxim-Mazurok/deno/tree/accept-insecure-certs and it adds |
Chiming in that the Go
Docs here: https://golang.org/pkg/crypto/tls/#Config We could start with something like number 1, but leave the door open for more granular configuration. My biggest worry here is that TLS in rust is kind of rough as it stands. We will be bound to the underlying implementation chosen, but we should take care to avoid letting the underlying implementation leak into the TypeScript API. My dream would be a Typescript export interface TLSConfig {
// defaults to false
insecureSkipVerify?: boolean;
} |
It looks like deno is now using the reqwest library, which claims:
But I'm still getting certificate errors when behind a corporate proxy. It looks like deno is configured to use rustls-tls instead of default-tls or native-tls. I think that's why it's still not working. Is there a reason to not use default-tls or native-tls? I'm looking here. Specifically this line:
Seems like you could just change it to
And that would fix it. |
Is there any update on this issue, because I am facing this error when calling internally hosted reviewboard api using fetch while on VPN.
|
I'm not sure about a flag, but at least |
See denoland/deno#1371 for issues with TLS and fetch. There are other issues on Deno about TLS and fetch as well.
Would love to see something like this implemented, i'm trying to run integration tests for a web app to ensure |
There needs to be both a environment variable and a |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Occuring an activity :) |
I really want this too! While being safe by default is nice and all, I wish there was a way I could override this on an individua |
this would be helpful in multiple scenarios such as running unit tests against a development version of a local webserver. Additionally, interacting with an internal server where a real cert isn't needed. |
This is necessary in isolated development scenarios and causes a headache when trying to create quick demo systems post production |
This would be really useful for my crawler application. I need to download a lot of pages from a website that have an insecure certification, but I cant fix it. I am obligated to use this website even with a insecure flag on it (its literally a government site) |
As an example: |
Just found this: I believe this would solve this issue |
Went way down the rabbit hole on this one 😩 . Digital Ocean, but it seems Heroku, and Google Cloud too use self signed certs to secure a postgres DB connection. Sadly, passing that cert is not enough as something goes wrong. Two pg drivers available for Deno (postgres, pg) show the same error when trying to write to the TLS connection: error: Uncaught (in promise) UnexpectedEof: tls handshake eof
await Deno.writeAll(this.conn, writer.buffer);
^
at deno:core/core.js:86:46
at unwrapOpResult (deno:core/core.js:106:13)
at async write (deno:runtime/js/12_io.js:107:12)
at async Object.writeAll (deno:runtime/js/13_buffer.js:224:19)
at async Connection.startup (https://deno.land/x/pg@v0.6.0/connection.ts:61:5)
at async Connection.connect (https://deno.land/x/pg@v0.6.0/connection.ts:45:7)
at async Client.connect (https://deno.land/x/pg@v0.6.0/client.ts:31:5)
at async file:///Users/cryptogohan/code/twitter_scraper/connect.ts:13:1 Using an insecure connection with a DB is not an option for me. Deno has no way to bypass the cert check, many hours later I'm left with not using Deno and rewriting which is v. sad as I was having an amazing time with it! Thanks for all the hard work so far, hopefully, this one makes it in. Or one of the suggestions in #5931 , or possibly #7660 . |
So even I went into a rabbit hole and without this feature can't get out. Basically I've spent days on developing a tool for parsing templates and expression compiler using Deno. Now having everything set up, wanted to write the part for handling those templates and sending data to the server in the VM with self-signed certificate - no there is no way to disable SSL on that service (basically a restriction of the software). That's my story, I've should research more about Deno. Since this feature is since 2018 open I don't feel that something will move right now so I am forced to rewrite everything (don't want to use Node). Awesome tool tho, but misses some core functionality :/ |
@TheAifam5 The solution for using self signed certificates is not to disable verification, but instead to pass the self signed CA certificate to --cert so it can be included in the verification logic. |
@lucacasonato are you describing a potential solution or something that deno already supports? It didn't have
|
Deno has had a --cert flag since 1.0. You must specify it after the subcommand. |
For those ending up here trying to connect to databases, I started a discussion over here and identified some work to be done to make things work. I'll also update as things start working. Slow going for now, but may already contain hints for people with SSL issues. For theaifam5 passing a cert should already do the trick! Either as a flag or when making the connection for whatever request you're making. |
The --cert does not work for whatever reason and I still get the same issue. Similar to the #8939 which got just closed without even waiting if the solution provided actually solves the problem. Before anyone asks, yes I extracted the certificate though a browser and through a CertMgr and I have it installed on my machines with a private key. Maybe because of "fetch"? Same thing with "connectTls" but also throws when "127.0.0.1" set as the hostname, or when leaved to default - error "invalid hostname". I tried both, as a flag and in the code with the „connectTls“. Tried the @cryptogohan scripts and says that server does not like ssl - also takes a long time to process. The application where I try to connect is the Microsoft Azure CosmosDB Emulator using the SQL API (through HTTPS). Maybe someone have it running and can verify my issue. I can not find better alternative for Deno :D Working on implementation for this feature. UPDATE (18 Jun 2020 at 02:02 AM): now the I've added UPDATE (18 Jun 2020 at 02:42 AM): If someone can tell me how to access Fork maybe on Friday or Saturday :) PR is slowly incoming. |
Hey @TheAifam5, I was supposed to look into implementing this flag for 1.12 but I see you got it more or less working. To answer your question:
You can't access Please open a PR, even if it doesn't yet completely work, so we can discuss on code, seems like you are close to the solution. |
@bartlomieju that was it :D thank you for giving me a hint. I do not have tests written yet. I've created a draft PR as you requested, also a PR contains an important notice: #11324 |
With #11324 landed, which adds I consider this issue resolved now. |
By the way, the option is now |
Is this supposed to also accept weak TLS ciphers? No matter what I try, I can't make Deno speak to a server with a self-signed certificate which also uses weak TLS ciphers. Unfortunately I can't provide an example of this because it's a non-public service. The only solution I have to this issue is by using an ad-hoc proxy, or not use Deno at all. |
@denizdogan Deno uses |
@bartlomieju Yeah, I know... 😞 I understand the reasoning 100%, it's just so unfortunate. Explaining this to non-Deno-converts is difficult. I'm left wondering if the door is 100% definitively closed on this whole thing, or if it would be possible to e.g. sneak in an extra --unstable feature to use a different TLS library on a per-Deno.HttpClient basis. |
There should be a way to allow insecure https requests, using
window.fetch()
for example.It should disable certificate validation for all requests made from the program.
As of implementation, there are two optoins that come to my mind: environment variable and flag. Below are some examples of how it's done in other web-related software, so we can come up with intuitive name and approach.
Examples:
NODE_TLS_REJECT_UNAUTHORIZED
environment variable that can be set to0
to disable TLS certificate validation. It takes name from tls.connect options.rejectUnauthorized-k
or--insecure
flag, which allows insecure server connections when using SSL--unsafely-treat-insecure-origin-as-secure="https://example.com"
for the same purposesThat said, I'd like to see
--accept-insecure-certs
flag option, because deno already uses flags for a lot of things, including permissions.My use-case: I'm using a corporate Windows laptop with network monitoring. AFAIK, all https requests are also monitored, so there's a custom SSL-certificate installed system-wide. So, most of the software, that uses system CA storage, works just fine. But some uses custom or bundled CA, and it seems like it's a case with deno. Anyway, it downloads deps just fine, but fails to perfprm any https request.
Issue created as a follow up to gitter conversation: December 18, 2018 1:24 PM
The text was updated successfully, but these errors were encountered: