Disabling certificate validation

[darleybarreto]

Hi folks, I tried to install julia 1.6.4 on a Windows 10 machine with some security constraints and I got this error

$ juliaup add 1.6.4
Installing Julia 1.6.4+0 (x64).
Error: Failed to download from url `https://julialang-s3.julialang.org/bin/winnt/x64/1.6/julia-1.6.4-win64.tar.gz`

Caused by:
    0: https://julialang-s3.julialang.org/bin/winnt/x64/1.6/julia-1.6.4-win64.tar.gz: Connection Failed: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
    1: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

Would it be possible to disable certificate validation?

[davidanthoff]

I don't think so, that is really the only defense we have against some really bad attack vectors at the moment. If we were to disable this, anyone between your machine and the server where the files are hosted could just inject whatever they wanted and send you that. I think what this error suggests is that your system doesn't rust the CA issuer that created the certificate for the domain from which we are fetching the data. Unclear to me why that would be the case, maybe @staticfloat has an idea?

[darleybarreto]

I see. I wonder what rustup does, then, because I was able to install it here without issues.

[davidanthoff]

Maybe their certificate was issued by a different authority that is actually whitelisted on your system?

Also, note to self: I should check how the Rust crate we are using is actually handling this. I'm assuming it is just looking at some system store of whitelisted certificate authorities, but we could double check.

[staticfloat]

Both of the certificates are valid; so either the root is not trusted by your system for some reason (does going there in a browser work for you?), or someone is indeed MITM'ing you. :P

[darleybarreto]

does going there in a browser work for you?

Yes, that works.

[StefanKarpinski]

or someone is indeed MITM'ing you. :P

Very possible that @darleybarreto is behind a MITM filewall. In which case whatever juliaup is using to do the download needs to know about the MITM firewall's CA root certificate that lets the client verify that the firewall's forged certificates for external sites are safe to use.

Anyway, welcome to hell.

[StefanKarpinski]

The best option is to use a native system TLS engine which is both more secure (does certificate revocation checks on Windows and macOS) and is more likely to have MITM firewall certs added to it by the IT department. If you can point me at where the code for doing the downloads that's failing is, I might be able to save you some pain since I've already been through a lot of this for Julia itself.

[davidanthoff]

We use the ureq create for downloads, and it has a section that goes into quite some detail how certificates are handled: https://crates.io/crates/ureq#tls If I understand that correctly, we are currently not using the OS store for certificates, but could fairly easily (hopefully) change that.

[DNF2]

Is there any update on this? Or any workaround? I am running into this when trying to update to 1.7.3/1.8.0-rc1.

[StefanKarpinski]

Someone needs to try using rust-native-tls and hopefully that helps.

[davidanthoff]

I just merged a PR so that on Windows and Mac we now use the native tls facilities of the OS.

[darleybarreto]

I can confirm this works now, thank you :)