New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow a custom CA file to be specified for retrieving dependencies #146

Closed
mkchandler opened this Issue Oct 20, 2015 · 7 comments

Comments

Projects
None yet
4 participants
@mkchandler
Copy link

mkchandler commented Oct 20, 2015

I receive the following error when attempting to install dependencies:

[error] SSL: :certify: ssl_handshake.erl:1490:Fatal error: unknown ca

{:failed_connect, [{:to_address, {'s3.amazonaws.com', 443}}, {:inet, [:inet], {:tls_alert, 'unknown ca'}}]}
** (Mix) Failed to fetch registry

This is caused by the fact that we rewrite all the certs (a whole other issue that I unfortunately don't have any control over). This was also discussed briefly in #137.

Instead of ignoring SSL like discussed in #137, is there a way we could possibly specify a custom CA file? That is how we workaround the issue with Git and Node.

It ends up looking like this in a .gitconfig:

[http]
    sslCAInfo = C:/Users/[username]/ca-bundle.crt

Or this in a .npmrc file:

cafile = C:\Users\[username]\some_cert.cer

Just want to get your thoughts on this. Right now we are stuck as far as I can tell. I can specify a git repo as the dependency and that works fine (over https since we have the above setting in our .gitconfig), but that only works for the dependencies we specify in our mix.exs. I'm not sure how to override all of the defaults for a project.

@ericmj

This comment has been minimized.

Copy link
Member

ericmj commented Oct 21, 2015

First off, I would be OK with this addition. But I also want to understand this issue and your proposed solution. Do you maintain a custom CA bundle that has a changed certificates for all major CAs? Why are you doing this?

Would you also need this changed in Mix? Mix uses https for fetching Hex for example.

@jcspencer

This comment has been minimized.

Copy link
Contributor

jcspencer commented Oct 21, 2015

Would it be possible to have other certificates merged with the existing chain, rather than completely replacing the bundled chain?

-- 
James Spencer
Sent with Airmail

On 21 October 2015 at 12:47:12 pm, Eric Meadows-Jönsson (notifications@github.com) wrote:

First off, I would be OK with this addition. But I also want to understand this issue and your proposed solution. Do you maintain a custom CA bundle that has a changed certificates for all major CAs? Why are you doing this?

Would you also need this changed in Mix? Mix uses https for fetching Hex for example.


Reply to this email directly or view it on GitHub.

@josevalim

This comment has been minimized.

Copy link
Member

josevalim commented Oct 21, 2015

Mix uses https for fetching Hex for example.

No longer in 1.1. :)

@josevalim

This comment has been minimized.

Copy link
Member

josevalim commented Oct 21, 2015

I should clarify: in 1.1, Mix ships with public keys and we check hex/rebar checksum because getting SSL to work reliably with different CAs was notoriously hard.

@mkchandler

This comment has been minimized.

Copy link

mkchandler commented Oct 21, 2015

Do you maintain a custom CA bundle that has a changed certificates for all major CAs? Why are you doing this?

I'm not an expert in this area, but if I understand correctly they are essentially MITM-attacking our external traffic so that they can monitor it (this is all inside our corporate network). So in the instance of Git, we just append our cert to the end of their CA bundle that they check against.

Git ships with essentially the same bundle that hex uses (https://github.com/hexpm/hex/blob/master/lib/hex/api/ca-bundle.crt) and we just append ours to the end.

@ericmj

This comment has been minimized.

Copy link
Member

ericmj commented Oct 21, 2015

Okay. This issue is up for grabs.

@ericmj

This comment has been minimized.

Copy link
Member

ericmj commented Feb 23, 2016

If anyone needs this it is still up for grabs. I am closing because there hasn't been updates on this. In the future we will rely on server side signing and checksums to remove the https dependency.

@ericmj ericmj closed this Feb 23, 2016

hcf pushed a commit to hcf/hex that referenced this issue Mar 23, 2018

Hans-Christian Fjeldberg-Gustavson
Adding support for custom CA file (hexpm#146)
When working in a corporate environment, sometimes someone decides that we are not to be trusted,
and force a https proxy into the network, enabling monitoring of all traffic.

hcf added a commit to hcf/hex that referenced this issue Mar 23, 2018

Adding support for custom CA file (hexpm#146)
When working in a corporate environment, sometimes someone decides that we are not to be trusted,
and force a https proxy into the network, enabling monitoring of all traffic.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment