Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github authentication does not respect proxy certificate settings #170292

Closed
penenkel opened this issue Dec 30, 2022 · 7 comments
Closed

Github authentication does not respect proxy certificate settings #170292

penenkel opened this issue Dec 30, 2022 · 7 comments
Assignees
@chrmarti
Labels
info-needed Issue requires more information from poster proxy Issues regarding network proxies

Comments

@penenkel
Copy link

Type: Bug

Szenario

I'm behind a corporate internet proxy an am trying to sign in with Github (to github.com) which fails with

unable to verify the first certificate

Steps to reproduce

  1. "Sign in with GitHub" (e.g. by trying to activate settings sync)

Error details

From the Github Authentication log

2022-12-30 15:11:47.977 [info] Logging in for the following scopes: user:email
2022-12-30 15:11:47.984 [info] Trying without local server... (user:email)
2022-12-30 15:11:50.890 [info] Exchanging code for token...
2022-12-30 15:11:51.121 [error] FetchError: request to https://vscode.dev/codeExchangeProxyEndpoints/github/login/oauth/access_token failed, reason: unable to verify the first certificate
at ClientRequest. (c:\Users\E96848\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\github-authentication\dist\extension.js:2:696664)
at ClientRequest.emit (node:events:526:28)
at TLSSocket.socketErrorListener (node:_http_client:442:9)
at TLSSocket.emit (node:events:526:28)
at emitErrorNT (node:internal/streams/destroy:157:8)
at emitErrorCloseNT (node:internal/streams/destroy:122:3)
at process.processTicksAndRejections (node:internal/process/task_queues:83:21)

Certificate / proxy details

The proxy is one of those terrible things that re-signs all the https traffic with its own custom certificate. Said certificate is then installed on the OS level of the individual PCs so that it is recognized as a valid certificate.

Investigation

I tried adjusting the vscode proxy settings but apparently not all of them are respected equally:

  • The environment variables http_proxy/https_proxy are respected.
  • http.proxy is respected. I tested this by entering an invalid URL and receiving the expected timeout.
  • Neither http.proxyStrictSSL = false nor http.systemCertificates = true seemed to have any effect. Or they do not mean what I think they do?

Workaround

By reading the source of the github authentication extension I discovered that it apparently utilizes node-fetch directly. Thus I tried disabling the certificate validation on the Node.js level via the environment variable NODE_TLS_REJECT_UNAUTHORIZED = "0" and indeed this allowed me to successfully sign in with Github.

Obviously this is a suboptimal solution at best.

Desired behavior

The Github authentication should respect the vscode certificate settings mentioned above.

It seems to me that, because authentication is implemented as a (build-in) extension it suffers from the same problem all extensions have with regard to http requests and proxy settings: There is (as far as I know) no unified support/API/package provided by vscode and thus every extension has to figure it out by them themselves with the obvious potential of getting some edge cases wrong. So maybe the invest should go in that direction. From my research into this problems it seems that there are quite a lot of issues that seem to be related to this.

VS Code version: Code 1.74.2 (e8a3071, 2022-12-20T10:29:14.590Z)
OS version: Windows_NT x64 10.0.19044
Modes:
Sandboxed: No

System Info
Item Value
CPUs Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz (8 x 2808)
GPU Status 2d_canvas: enabled
canvas_oop_rasterization: disabled_off
direct_rendering_display_compositor: disabled_off_ok
gpu_compositing: enabled
multiple_raster_threads: enabled_on
opengl: enabled_on
rasterization: enabled
raw_draw: disabled_off_ok
skia_renderer: enabled_on
video_decode: enabled
video_encode: unavailable_off
vulkan: disabled_off
webgl: enabled
webgl2: enabled
webgpu: disabled_off
Load (avg) undefined
Memory (System) 31.83GB (13.11GB free)
Process Argv --disable-extensions .
Screen Reader no
VM 0%
Extensions disabled
@TylerLeonhardt
Copy link
Member

/duplicate #12588

cc @chrmarti

@VSCodeTriageBot VSCodeTriageBot added the *duplicate Issue identified as a duplicate of another issue(s) label Jan 11, 2023
@VSCodeTriageBot
Copy link
Collaborator

Thanks for creating this issue! We figured it's covering the same as another one we already have. Thus, we closed this one as a duplicate. You can search for similar existing issues. See also our issue reporting guidelines.

Happy Coding!

@VSCodeTriageBot VSCodeTriageBot closed this as not planned Won't fix, can't repro, duplicate, stale Jan 11, 2023
@penenkel
Copy link
Author

@TylerLeonhardt To be honest, I dont quite agree with closing this issue.

I mean, yes providing extension proxy support is the cleanest way to implement a solution for this, but this extension has to be adapted anyways.

Also there is a difference in severity and priority between any old third party extension being broken by this and one of two buildin authentication extensions being broken.

At the very least the referenced issue should be updated with this scenario as a high priority use case. (If that has already been done, I appologise for missing it, and this issue can safly remain closed)

@chrmarti
Copy link
Contributor

We do load the certificates from the OS, the error suggests that this either doesn't work or the required root certificate is missing. Could you enable debug logging (F1 > Developer: Set Log Level... > Debug) and then reload the window and check in the Extension Host output channel for a line with ProxyResolver#getCaCertificates (Ctrl + F works) and post that.

@chrmarti chrmarti reopened this Jan 12, 2023
@chrmarti chrmarti added info-needed Issue requires more information from poster proxy Issues regarding network proxies and removed *duplicate Issue identified as a duplicate of another issue(s) labels Jan 12, 2023
@chrmarti chrmarti assigned chrmarti and unassigned TylerLeonhardt Jan 12, 2023
@penenkel
Copy link
Author

[debug] ProxyResolver#getCaCertificates count 265
...
[debug] ProxyResolver#resolveProxy env https://vscode.dev/codeExchangeProxyEndpoints/github/login/oauth/access_token PROXY localhost:3128
[debug] ProxyResolver#resolveProxy env https://vscode.dev/codeExchangeProxyEndpoints/github/login/oauth/access_token PROXY localhost:3128

It seems like the certificates are loaded. The proxy is also correct.
But I'm still getting

2023-01-12 11:24:45.925 [info] Logging in for the following scopes: user:email
2023-01-12 11:24:45.928 [info] Trying without local server... (user:email)
2023-01-12 11:24:49.534 [info] Exchanging code for token...
2023-01-12 11:24:49.774 [error] FetchError: request to https://vscode.dev/codeExchangeProxyEndpoints/github/login/oauth/access_token failed, reason: unable to verify the first certificate
at ClientRequest. (c:\Users\E96848\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\github-authentication\dist\extension.js:2:696664)
at ClientRequest.emit (node:events:526:28)
at TLSSocket.socketErrorListener (node:_http_client:442:9)
at TLSSocket.emit (node:events:526:28)
at emitErrorNT (node:internal/streams/destroy:157:8)
at emitErrorCloseNT (node:internal/streams/destroy:122:3)
at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
2023-01-12 11:24:58.310 [info] Trying with local server... (user:email)
2023-01-12 11:24:59.016 [info] Exchanging code for token...
2023-01-12 11:24:59.241 [error] FetchError: request to https://vscode.dev/codeExchangeProxyEndpoints/github/login/oauth/access_token failed, reason: unable to verify the first certificate
at ClientRequest. (c:\Users\E96848\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\github-authentication\dist\extension.js:2:696664)
at ClientRequest.emit (node:events:526:28)
at TLSSocket.socketErrorListener (node:_http_client:442:9)
at TLSSocket.emit (node:events:526:28)
at emitErrorNT (node:internal/streams/destroy:157:8)
at emitErrorCloseNT (node:internal/streams/destroy:122:3)
at process.processTicksAndRejections (node:internal/process/task_queues:83:21)

It may very well be that the certificate configuration of my organization is somehow slightly broken/non-standard. But I thought that is what the http.proxyStrictSSL = false option is for. But it does not seem to have any effect on this problem.

@chrmarti
Copy link
Contributor

http.proxyStrictSSL is currently ignored by that part of the code.

Could you run openssl s_client -proxy host:port -showcerts -connect vscode.dev:443 with your proxy's host:port in a terminal and check this shows the full certificate chain, including the root certificate installed in your OS? (Node.js is more strict in this regard than some browsers that might accept partial chains if they have the missing certificates themeselves if I remember correctly.)

@VSCodeTriageBot
Copy link
Collaborator

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!

@VSCodeTriageBot VSCodeTriageBot closed this as not planned Won't fix, can't repro, duplicate, stale Jan 20, 2023
@github-actions github-actions bot locked and limited conversation to collaborators Mar 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@chrmarti chrmarti

Labels
info-needed Issue requires more information from poster proxy Issues regarding network proxies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@TylerLeonhardt @penenkel @chrmarti @VSCodeTriageBot