Skip to content

Add http.proxy-cainfo config for proxy certs #15374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+16 −0
Open

Add http.proxy-cainfo config for proxy certs #15374

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/cargo/util/context/mod.rs
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. This looks reasonable, though I saw your comment in #13460 (comment), and wonder what people want.
Do people really need the ability to configure custom proxy CA info, or just want to disable all the CA checks?

There is also git's CA check discussion in #1180 as well, somehow relevant.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #13460 (comment).

Let's discuss over there :)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't want to disable CA checks - although I think it is really useful option, definitely worth introducing.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I faced the problem where cargo doesn't work with an SSL proxy, even though the custom CA is trusted (curl doesn't complain about the certificates). This stems from the fact that the automatically vendored libcurl has no built-in information about the system trust store. I wrote a fairly detailed description of this issue in #15376; the ability to set a proxy cainfo is a real need to solve it.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@weihanglo Do you need more info?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would say that the change standalone looks reasonable. Have you tested it satisfies and fixes issues on your side?

I would kick off a straw poll for the Cargo team, as this would add a new insta-stable config field to Cargo.

Copy link
Author

@koxu1996 koxu1996 Apr 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it fixes the problem 🫡:

# Step 1) Setup TLS proxy and set CA info.
export CARGO_HTTP_PROXY=https://localhost:8002
export CARGO_HTTP_CAINFO=/etc/pki/tls/certs/ca-bundle.crt
# Step 2) Try cargo compiled from `koxu1996:feature/http-proxy-cainfo`.
/tmp/cargo/target/debug/cargo add [email protected]
    Updating crates.io index
error: download of config.json failed

Caused by:
  failed to download from `https://index.crates.io/config.json`

Caused by:
  [60] SSL peer certificate or SSH remote key was not OK (SSL certificate problem: unable to get local issuer certificate)
# Step 3) Set **proxy** CA info
export CARGO_HTTP_PROXY_CAINFO=/etc/pki/tls/certs/ca-bundle.crt
# Step 4) Try cargo again.
/tmp/cargo/target/debug/cargo add [email protected]
    Updating crates.io index
      Adding proc-macro2 v1.0.94 to dependencies
             Features:
             + proc-macro
             - nightly
             - span-locations

Original file line number Diff line number Diff line change
Expand Up @@ -2608,6 +2608,7 @@ pub struct CargoHttpConfig {
pub low_speed_limit: Option<u32>,
pub timeout: Option<u64>,
pub cainfo: Option<ConfigRelativePath>,
pub proxy_cainfo: Option<ConfigRelativePath>,
pub check_revoke: Option<bool>,
pub user_agent: Option<String>,
pub debug: Option<bool>,
Expand Down
4 changes: 4 additions & 0 deletions src/cargo/util/network/http.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,10 @@ pub fn configure_http_handle(gctx: &GlobalContext, handle: &mut Easy) -> CargoRe
let cainfo = cainfo.resolve_path(gctx);
handle.cainfo(&cainfo)?;
}
if let Some(proxy_cainfo) = &http.proxy_cainfo {
let proxy_cainfo = proxy_cainfo.resolve_path(gctx);
handle.proxy_cainfo(&format!("{}", proxy_cainfo.display()))?;
}
if let Some(check) = http.check_revoke {
handle.ssl_options(SslOpt::new().no_revoke(!check))?;
}
Expand Down
9 changes: 9 additions & 0 deletions src/doc/src/reference/config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ ssl-version.min = "tlsv1.1" # minimum TLS version
timeout = 30 # timeout for each HTTP request, in seconds
low-speed-limit = 10 # network timeout threshold (bytes/sec)
cainfo = "cert.pem" # path to Certificate Authority (CA) bundle
proxy-cainfo = "cert.pem" # path to proxy Certificate Authority (CA) bundle
check-revoke = true # check for SSL certificate revocation
multiplexing = true # HTTP/2 multiplexing
user-agent = "…" # the user-agent header
Expand Down Expand Up @@ -708,6 +709,14 @@ Sets the timeout for each HTTP request, in seconds.
Path to a Certificate Authority (CA) bundle file, used to verify TLS
certificates. If not specified, Cargo attempts to use the system certificates.

#### `http.proxy-cainfo`
* Type: string (path)
* Default: none
* Environment: `CARGO_HTTP_PROXY_CAINFO`

Path to a Certificate Authority (CA) bundle file, used to verify proxy TLS
certificates.

#### `http.check-revoke`
* Type: boolean
* Default: true (Windows) false (all others)
Expand Down
2 changes: 2 additions & 0 deletions src/doc/src/reference/environment-variables.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ In summary, the supported environment variables are:
* `CARGO_HTTP_PROXY` --- Enables HTTP proxy, see [`http.proxy`].
* `CARGO_HTTP_TIMEOUT` --- The HTTP timeout, see [`http.timeout`].
* `CARGO_HTTP_CAINFO` --- The TLS certificate Certificate Authority file, see [`http.cainfo`].
* `CARGO_HTTP_PROXY_CAINFO` --- The proxy TLS certificate Certificate Authority file, see [`http.proxy-cainfo`].
* `CARGO_HTTP_CHECK_REVOKE` --- Disables TLS certificate revocation checks, see [`http.check-revoke`].
* `CARGO_HTTP_SSL_VERSION` --- The TLS version to use, see [`http.ssl-version`].
* `CARGO_HTTP_LOW_SPEED_LIMIT` --- The HTTP low-speed limit, see [`http.low-speed-limit`].
Expand Down Expand Up @@ -171,6 +172,7 @@ In summary, the supported environment variables are:
[`http.proxy`]: config.md#httpproxy
[`http.timeout`]: config.md#httptimeout
[`http.cainfo`]: config.md#httpcainfo
[`http.proxy-cainfo`]: config.md#httpproxy-cainfo
[`http.check-revoke`]: config.md#httpcheck-revoke
[`http.ssl-version`]: config.md#httpssl-version
[`http.low-speed-limit`]: config.md#httplow-speed-limit
Expand Down