thorium-reader icon indicating copy to clipboard operation
thorium-reader copied to clipboard
verified publisher icon edrlab

Thorium behind a corporate transparent MITM proxy (self-signed certificates, CA chain)

Open NachoParra opened this issue 2 years ago • 10 comments

Hi,

Yesterday I started to play around Thorium so I can play licensed audiobooks from my public library, and it looks great as a default ebook reader app for the laptop.

I have a Calibre library on my NAS, which is served over HTTPS with COPS and Calibre-web.

I tried to add these two as catalogs, as well as the gutenberg opds feed and I get always the same error: image

I suspect that the problem lies on my corporate transparent MITM proxy. On my corporate laptops we have a MITM proxy that signs with it's own corporate certificate all HTTPS connections. As on W11 and Firefox the corporate certificate has been added, no problem, but no inside Thorium and it's chromium browser, so whenever I try to connect to any OPDS library, I got the error.

Is there any way to add root certificates to Thorium? If not, can we somehow tell chromium not to validate any or a list of https certicates?

Thanks!

NachoParra avatar Dec 20 '23 11:12 NachoParra

Duplicate: https://github.com/edrlab/thorium-reader/issues/1904 (moving your feedback there, thank you very much!)

danielweck avatar Dec 20 '23 12:12 danielweck

Hello, I am reopening this issue as I think that the newly-introduced PROXY support in Thorium3 will not solve issues related to broken certificate chains. This needs further testing.

Note that we will likely upgrade to Electron 31 in a few weeks / months, which will introduce support NODE_EXTRA_CA_CERTS: https://github.com/electron/electron/releases/tag/v31.0.0 (this will probably ship in Thorium3.1, but not immediately in Thorium3.0 as this version of Electron has not been tested enough in the wild yet)

danielweck avatar Jun 12 '24 07:06 danielweck

Great news!! I can setup a dev environment and test against my corporate configuration anytime.

NachoParra avatar Jun 12 '24 08:06 NachoParra

related?

https://github.com/edrlab/thorium-reader/issues/2753

danielweck avatar Feb 19 '25 08:02 danielweck

I think that it can be related, yes, as the error in the two could be linked to Node not reading non estandar certificates.

Doyou have implemented the NODE_EXTRA_CA_CERTS environment variable? I can test this if you want.

NachoParra avatar Feb 20 '25 11:02 NachoParra

could you please try. thank you

danielweck avatar Feb 20 '25 11:02 danielweck

could you please try. thank you

danielweck avatar Feb 20 '25 11:02 danielweck

ah, I am afraid "node options" are disabled in Thorium (Electron Fuse) https://github.com/nodejs/node/blob/main/doc/api/cli.md

danielweck avatar Feb 20 '25 12:02 danielweck

ah, I am afraid "node options" are disabled in Thorium (Electron Fuse) https://github.com/nodejs/node/blob/main/doc%2Fapi%2Fcli.md

https://github.com/edrlab/thorium-reader/blob/develop/scripts%2FafterPack.js#L59

danielweck avatar Feb 20 '25 12:02 danielweck

I have tried with NODE_EXTRA_CA_CERTS and even with NODE_TLS_REJECT_UNAUTHORIZED to not validate any certificate and we have the same problem, probably because of the comment that node options are disabled.

NachoParra avatar Feb 20 '25 13:02 NachoParra

This issue is not actionable at this point, closing. Thorium normally works with PROXY env vars, but not sure this would help in this case https://github.com/Rob--W/proxy-from-env?tab=readme-ov-file#environment-variables

danielweck avatar Jun 27 '25 19:06 danielweck