Add http.proxy-cainfo config for proxy certs

[koxu1996]

This adds a http.proxy-cainfo option to Cargo which reads CA information from a bundle to pass through to the underlying libcurl call. This should allow configuration of Cargo in situations where SSL proxy is used.

Similar to #2917.

[rustbot]

r? @weihanglo

rustbot has assigned @weihanglo.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[weihanglo]

Thanks. This looks reasonable, though I saw your comment in #13460 (comment), and wonder what people want.
Do people really need the ability to configure custom proxy CA info, or just want to disable all the CA checks?

There is also git's CA check discussion in #1180 as well, somehow relevant.

[weihanglo]

See #13460 (comment).

Let's discuss over there :)

[koxu1996]

I don't want to disable CA checks - although I think it is really useful option, definitely worth introducing.

[koxu1996]

I faced the problem where cargo doesn't work with an SSL proxy, even though the custom CA is trusted (curl doesn't complain about the certificates). This stems from the fact that the automatically vendored libcurl has no built-in information about the system trust store. I wrote a fairly detailed description of this issue in #15376; the ability to set a proxy cainfo is a real need to solve it.

[koxu1996]

@weihanglo Do you need more info?

[weihanglo]

I would say that the change standalone looks reasonable. Have you tested it satisfies and fixes issues on your side?

I would kick off a straw poll for the Cargo team, as this would add a new insta-stable config field to Cargo.

[koxu1996]

Yes, it fixes the problem 🫡:

# Step 1) Setup TLS proxy and set CA info.
export CARGO_HTTP_PROXY=https://localhost:8002
export CARGO_HTTP_CAINFO=/etc/pki/tls/certs/ca-bundle.crt

# Step 2) Try cargo compiled from `koxu1996:feature/http-proxy-cainfo`.
/tmp/cargo/target/debug/cargo add [email protected]
    Updating crates.io index
error: download of config.json failed

Caused by:
  failed to download from `https://index.crates.io/config.json`

Caused by:
  [60] SSL peer certificate or SSH remote key was not OK (SSL certificate problem: unable to get local issuer certificate)

# Step 3) Set **proxy** CA info
export CARGO_HTTP_PROXY_CAINFO=/etc/pki/tls/certs/ca-bundle.crt

# Step 4) Try cargo again.
/tmp/cargo/target/debug/cargo add [email protected]
    Updating crates.io index
      Adding proc-macro2 v1.0.94 to dependencies
             Features:
             + proc-macro
             - nightly
             - span-locations

[weihanglo]

@rfcbot fcp merge

I propose to the team that we merge and insta-stabilize the http.proxy-cainfo config.

• One http config makes no harm to other parts of the system
• It has a legitimate use case, pretty well-described in Fails to connect through trusted SSL proxy #15376

Possible counterarguments:

• Instead, we just provide an --insecure equivalent flag to disable all checks.
  • This doesn't work if people do want some checks for proxies.
• As Fails to connect through trusted SSL proxy #15376 pointing out, We should fix this in upstream curl crate to align with curl CLI's behavior.
  • Yeah, but that only works if you have no cainfo set I guess.

[rfcbot]

Team member @weihanglo has proposed to merge this. The next step is review by the rest of the tagged team members:

• @Eh2406
• @Muscraft
• @Rustin170506
• @arlosi
• @ehuss
• @epage
• @joshtriplett
• @weihanglo

Concerns:

• need-rationale-other-than-curl-bug (Add http.proxy-cainfo config for proxy certs #15374 (comment))

Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for info about what commands tagged team members can give me.

[joshtriplett]

@rfcbot concern need-rationale-other-than-curl-bug

According to #15376 , it sounds like the curl command-line tool automatically uses the non-proxy CA info as the proxy CA info, if no proxy CA info is specifically provided. This behavior doesn't occur in libcurl, or in other clients like cargo.

I think it'd be appropriate for cargo to implement the same behavior as the curl command-line tool. That would make this use case work automatically, without requiring configuration.

There may still be a reason to have this separate configuration, but we'd need a separate motivation for it other than the case where the proxy needs a system CA certificate and this config is being used to work around us not automatically using that.

[koxu1996]

@joshtriplett http.cainfo was introduced with the following motivation:

This should allow configuration of Cargo in situations where the default certificate store doesn't contain the relevant certificates, such as behind corporate proxies.

Given that proxies - especially in corporate environments - are expected to use TLS for secure communication, introducing http.proxy_cainfo is a reasonable extension that supports this more secure setup.

[arlosi]

Regardless of whether we decide to add proxy_cainfo as a separate configuration option, I think cargo should match curl's behavior of using cainfo for proxy_cainfo (if an explicit proxy_cainfo is not set).