Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to disable strictSSL check? #1121

Closed
nickzelei opened this issue Aug 18, 2017 · 7 comments
Closed

How to disable strictSSL check? #1121

nickzelei opened this issue Aug 18, 2017 · 7 comments
Assignees
@shockey
Labels
type: support

Comments

@nickzelei
Copy link

nickzelei commented Aug 18, 2017
edited
Loading

I'm attempting to disable checking of self-signed certs to avoid the UNABLE_TO_VERIFY_LEAF_SIGNATURE error. Typically, with request, I would simply pass it rejectUnauthorized: false or strictSSL: false.

I've tried this, but it does not seem to work:

import * as Swagger from "swagger-client";
import * as https from "https";

const httpsAgent = new https.Agent({ rejectUnauthorized: false });

Swagger({ url: "https://my-url/swagger.json", connectionAgent: httpsAgent })
    .then(client => console.log(client)
    .catch(console.error);

The error:

{ FetchError: request to https://my-url/swagger.json failed, reason: unable to verify the first certificate
    at ClientRequest.<anonymous> (E:\playground\ts_test\node_modules\node-fetch\index.js:133:11)
    at emitOne (events.js:96:13)
    at ClientRequest.emit (events.js:188:7)
    at TLSSocket.socketErrorListener (_http_client.js:309:9)
    at emitOne (events.js:96:13)
    at TLSSocket.emit (events.js:188:7)
    at emitErrorNT (net.js:1277:8)
    at _combinedTickCallback (internal/process/next_tick.js:80:11)
    at process._tickCallback (internal/process/next_tick.js:104:9)
  name: 'FetchError',
  message: 'request to https://my-url/swagger.json failed, reason: unable to verify the first certificate',
  type: 'system',
  errno: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }

Any insight on how to accomplish this?
@shockey
Copy link
Contributor

shockey commented Aug 19, 2017

What version of swagger-client are you using?

@nickzelei
Copy link
Author

The latest. 3.0.20.

@shockey shockey self-assigned this Aug 24, 2017
@johnmilimo
Copy link

I am also experiencing the same issue. I am using a self-signed cert, and I need to disable the ssl verification

@shockey
Copy link
Contributor

shockey commented Sep 13, 2017
edited
Loading

Hi folks!

First, please note that connectionAgent is not a valid option in swagger-client's 3.x series, so setting one won't have any effect.

Secondly, it's always better to set up your system to trust your self-signed certificates rather than disable TLS validation. However, if you really want to do so, here's how you'd do it:

const Swagger = require("swagger-client")

process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = "0"

// not actually a Swagger document, but simulates a self-signed cert
Swagger({ url: "https://untrusted-root.badssl.com" })
    .then(client => console.log(client))
    .catch(console.error)

Please note that this will completely neuter SSL for all requests that your project makes.

We do offer a way to bring your own Fetch implementation if you're using the buildRequest/execute API - however, I looked around a bit, and couldn't find a flag that can be passed to the Fetch API to disable TLS validation.

I'll close with a quote from the Superagent issue tracker, which had a similar discussion last year:

Please never use NODE_TLS_REJECT_UNAUTHORIZED for anything, ever. It's a dangerous option that ruins security of all requests made by node.
Please either get a free certificate from Letsencrypt, or create your own certificate and CA.

ladjs/superagent#205

I recommend that you look into adding your certificates to your operating system's trust store 😄

@nickzelei
Copy link
Author

In my case, I'm working behind a corporate firewall. IT doesn't release the self-signed certs, so I am not able to access them. I was looking for a way to disable TLS checking for just my single request, not for my entire Node process. I've seen superagent's stance on it, and also a part of the reason why I cannot utilize superagent in a node environment. Request makes it trivial by expose the strictSSL option and allowing users to turn it off, un-opinionated.

I will look into the buildRequest/execute API. Thanks.

@mwaeckerlin
Copy link

Solution With Agent

There is a very simple solution: Yes, @shockey, you cannot set connectionAgent, but you can set http, and http is fetch-like, so it evaluates an option agent:

import SwaggerClient from 'swagger-client';
import https from "https";

…

const agent = new https.Agent({
  rejectUnauthorized: false
})
const http = (request) => SwaggerClient.http({...request, agent});
const api = await new SwaggerClient({ http, url: "https://localhost:3000/docs-json" });

@char0n char0n mentioned this issue Sep 1, 2020
Open
@char0n
Copy link
Member

char0n commented Sep 1, 2020

@mwaeckerlin thanks, I think this is worth adding into our documentation. Created an related issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shockey shockey

Labels
type: support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@char0n @shockey @nickzelei @johnmilimo @mwaeckerlin