Problem handling self signed cert for proxy in 1.16.1

[jschweik]

In 1.16.0 and prior a call with proxy would succeed if the certificate were self signed as long as either rejectUnauthorized was overridden to false or the certificate itself was set.

const options = {
    method: 'GET',
    url: `https://mydomain.com`,
    proxy: {
      protocol: 'https',
      host: '127.0.0.1',
      port: '8080'
    },
    httpsAgent: new https.Agent({
      rejectUnauthorized: false,
      ca: certificateData
    })
  };

  const response = await axios.request(options);

In 1.16.1, regardless of these values, you are met with a "self-signed certificate in certificate chain" error.

With the https-proxy-agent changes in 1.16.1, is there a different way to either provide the cert or have it ignored for a specific request?

[jasonsaayman]

In 1.16.1, HTTPS targets through a proxy now use https-proxy-agent for CONNECT tunnelling. Axios currently forwards httpsAgent.options into the HttpsProxyAgent constructor, but that does not cover the same TLS leg as before in all cases. In particular, options like rejectUnauthorized: false / ca can fail to apply to the TLS connection to the tunnelled HTTPS origin after CONNECT, so a self-signed origin or MITM-generated origin certificate can now fail with a self-signed certificate error.

A plain self-signed HTTPS proxy with a trusted HTTPS origin should work, so the failure is on the tunnelled origin certificate validation, not necessarily the proxy socket itself.

For now, I don’t think there is a clean per-request Axios config workaround in 1.16.1 for this specific case. Trusting the CA globally via Node/system trust should work, and NODE_TLS_REJECT_UNAUTHORIZED=0 would bypass it globally, but is not recommended.

[jschweik]

The updates are working great, thank you.