pub get on the samples (sunflower, pop_pop_win, etc) fail with peer certificate error #18929
Comments
|
All the HTTPS certificate stuff is handled by dart:io. Removed Area-Pub label. |
|
Hi, Dart comes with a built-in CA database, so what happens here is that the certificate of the host is not accepted by that database. To me it sounds like the request is rewritten and another certificate is used, than the one expected (that is, the certificate used it not the one for 'pub.dartlang.org'). Can you try to run the following: pub --trace --verbosity all get That might help us see if there is anything wrong with the local setup. Cheers,
|
|
This comment was originally written by [email protected] C:\dev\tools\dart\dart64\samples\sunflower>pub --trace --verbosity all get | e:\b\build\slave\dart-editor-win-dev\build\dart\sdk\lib_internal\pub\lib\src\solver\backtracking_solver.dart 559 Traverser._traverse | e:\b\build\slave\dart-editor-win-dev\build\dart\sdk\lib_internal\pub\lib\src\log.dart 230 progress ---- Log transcript ---- | e:\b\build\slave\dart-editor-win-dev\build\dart\sdk\lib_internal\pub\lib\src\solver\backtracking_solver.dart 559 Traverser._traverse | e:\b\build\slave\dart-editor-win-dev\build\dart\sdk\lib_internal\pub\lib\src\log.dart 230 progress ---- End log transcript ---- C:\dev\tools\dart\dart64\samples\sunflower> |
|
Hi, So it seems that the certificate from pub.dartlang.org is somehow not recognized. Can you run the following Dart code to get more information on the certificate the Dart client is seeing: import 'dart:io'; printCertificate(cert) { main() { Thanks, |
|
This comment was originally written by [email protected] Ok, got this back. The zzz and xyz are instead of the actual name returned. Observatory listening on http://127.0.0.1:51829 Response certificate: |
|
When I run this program locally I get: Response certificate: Which have a Google root certificate. This looks like there is a corporate proxy between your machine and pub.dartlang.org which is terminating the HTTPS connection. This proxy is using a root certificate which is not trusted by Dart. The dart executable has a built-in set of root certificates. which of cause does not include this root certificate. There are a number of ways this can be fixed:
Removed Type-Defect, Library-IO, Area-Library labels. |
|
Issue #17664 has been merged into this issue. |
1 similar comment
|
Issue #17664 has been merged into this issue. |
|
I think it's the OS's responsibility to manage trusted root certificates, rather than each application's. On Windows, it looks like this page has instructions for doing so: http://technet.microsoft.com/en-us/library/cc754841.aspx. Added NotPlanned label. |
|
This comment was originally written by [email protected] How would we get the cert to add it to our cert storage? |
|
There are a couple ways listed here: http://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file |
|
This comment was originally written by @Emasoft 1 - Dart should always use HTTPS for pub get. Security issues would be HUGE if it doesn't. 2 - Dart should give a much more informative error message than the one reported above. The error message should explain clearly what does't work and what is the correct way to do it with Dart. 3 - The user must not be forced to manually set the server certificates using the OS. An admin should be able to write scripts in Dart that do it automatically if he needs to setup of a new server. Dart should be able to manage trusted root certificates on every platform it runs, provided it has be granted the necessary privileges. The Dart subsystem should abstracting the different OSs procedures for doing it, and provide classes dedicated to download, verify, install and manage certificates. This should be true for almost all server side scripting tasks involving the OS, at least those tasks needed to be able to write a Dart script that automate the full setup of a new HTTPS server remotely, a common task that before was accomplished using a mix of various tools and scripts. |
The default is to use HTTPS, but we won't force users to use it for their own custom servers. For intranet or localhost servers, HTTPS doesn't make sense.
Feel free to file an issue against dart:io for this.
I don't think it's the responsibility of the core SDK, much less the package manager, to support a powerful configuration system. If this is something you'd find valuable, though, feel free to write this yourself. |
|
The Dart executable cannot use the certificates which is set up through the OS tools/UI. The Dart executable uses Mozilla NSS to implement SSL/TLS. NSS access certificates and keys from a database which can be build using the certutil tool (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil). The API SecureSocket.initialize is used to initialize NSS with a database. If NSS is not initialized with a database a builtin set of trusted roots will be used. For pub to work with root certificates not in this builtin set of trusted roots an option is needed for the database to use for the call to SecureSocket.initialize. |
|
Issue #20270 has been merged into this issue. |
Why not?
If this is a global property of dart:io, shouldn't the "dart" executable expose a way to configure it globally? Why is it the job of each individual executable to expose its own means of configuration? |
We are using the Mozilla NSS library which only supports certificates stored in their own database format.
Right now this is initialized like this SecureSocket.initialize(database: 'path/to/database', password: 'password'); We could make this configurable through an environment variable, and for a database with trusted root certificates an empty password should do. However this still require that the user builds a NSS database with the 'certutil' tool from Mozilla which is complicated (see http://stackoverflow.com/questions/25388750/dart-https-request-with-ssl-certificate-please for an example). Another option is to use the badCertificateCallback property of dart:io HttpClient (https://api.dartlang.org/apidocs/channels/stable/dartdoc-viewer/dart-io.HttpClient#id_badCertificateCallback=). There can either be an option to pub to ignore bad certificates or a prompt displaying the actual certificate and asking. Of cause this will somehow cause dart:io features to "leak" into the http package. I don't like an environment variable to ignore all bad certificates in dart:io HttpClient. |
Why are we using this library if it imposes such a heavy usability cost for both users and developers?
This would be better than the current situation, since at least it would mean that Dart executables wouldn't have to independently implement different ways of setting the certificate store.
This is unfortunate, but currently there's no way around it unless we want to ignore bad certificates (which we don't). |
DartBot
added
Type-Enhancement
closed-not-planned
|
This issue has been moved to dart-lang/pub#983. |
kevmoo
added
type-enhancement
This issue was originally filed by [email protected]
What steps will reproduce the problem?
What is the expected output? What do you see instead?
I expect pub to get the required files
What version of the product are you using? On what operating system?
Dart sdk 1.3.6
Please provide any additional information below.
The text was updated successfully, but these errors were encountered: