feat: read zscaler certificates from system store #35538
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MarshallOfSound
requested changes
Sep 1, 2022
|
No, not yet. @twitharshil could you send this patch to Node.js too? I think we should also modify the patch to read all kinds of certs from the Windows cert store, not just the Zscaler ones. |
|
Consider using the net api in Electron instead of Node’s, to make requests with the Chromium network stack. I don’t think this is a patch we would take without upstream support. |
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of Change
Zscaler is one of the leading vendors for MITM-based proxy environments across the industry. Proxies like ZScaler intercepts the requests sent to a certain endpoint from the user machine and serve a redirect to their own servers ( for eg: https://gateway.zscloud.net/ ) before finally redirecting back to the original endpoint.
In some zscaler-specific user environments, we have observed Zscaler root certificate authorities present on the user system store. These certificates are needed for the request's SSL certificate verification. Chrome reads certificates from the system store hence the certificate verification step passes when a request is sent out of the user machine through chrome as a client.
Electron embedding Chromium and Node.js into its binary. The embedded chromium in the renderer process reads the certificates from the system store hence these client SSL certificate verification passes smoothly. Although it fails for the request going through the main process of the electron. Electron uses node that uses a statically compiled, hardcoded list of certificate authorities, rather than relying on the system's trust store.
This PR targets to read the Zscaler certificates from the user system store and embed that with the existing list of root certificates of the node. In this way application using electron and making a request through the main process doesn't have to get their domains whitelisted behind such an environment to make the request-sending features work for them.
Ref: This PR is based on observations and learnings from the user's environment. I've seen another #30174 in electron dealing with such type of MITM proxies environment which kind of has the same observations as well.
Note:
Notes: Added support for reading zscaler root CA's from system store
cc: @jviotti @RaisinTen @dsanders11