Skip to content

Issue when used with corporate proxy (transparent or not) #2047

Description

@GregoireW

When we try to use cargo pgrx init we got this error:

Error: 
   0: unable to retrieve https://www.postgresql.org/versions.rss
   1: io: invalid peer certificate: UnknownIssuer

This comes from:

static VERSIONS_RSS_URL: &str = "https://www.postgresql.org/versions.rss";
let http_client = build_agent_for_url(VERSIONS_RSS_URL)?;
let mut response = http_client

which use the agent created by:

if let Some(proxy_url) = for_url_str(url).to_string() {
let config = Agent::config_builder().proxy(Some(Proxy::new(&proxy_url)?)).build();
Ok(Agent::new_with_config(config))
} else {
Ok(Agent::new_with_defaults())
}

This app use ureq library which is clear about the root certificate : the default is to use the mozilla static certificate and it is not possible to add one. https://docs.rs/ureq/latest/ureq/#root-certificates.

You end up with an issue with companies that use kind of corporate proxy (transparent or not) that may inspect the content
In such situation, you have an internal certificate you have to trust (well it is usually setup on OS trusted cert so you don't really care about ). But here ... really really really painful...

When you check the webpki root crate documentation ( https://docs.rs/webpki-roots/0.26.8/webpki_roots/ ) it is assumed it can be hard to use on some situation, and you should check another solution to use system truststore.

as ureq can do that https://docs.rs/ureq/latest/ureq/#platform-verifier perhaps the agent should use this.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions