mockttp icon indicating copy to clipboard operation
mockttp copied to clipboard

Published 20 hours ago verified publisher icon httptoolkit

Is ignoreHostCertificateErrors the recommended way to ignore certificate errors?

Open rinogo opened this issue 3 years ago • 3 comments

Let's say that I'm using mockttp to proxy requests to example.local, which uses a self-signed certificate.

During testing, the requests fail with HTTP code 502 and I receive the following message in the Node console:

Failed to handle request: unable to verify the first certificate

I tried using workarounds like running Node with environment variables set - for example:

NODE_EXTRA_CA_CERTS='../ssl/example.local.pem' node index.js

and

NODE_TLS_REJECT_UNAUTHORIZED=0 node index.js

Neither worked. In fact, while using the latter approach (NODE_TLS_REJECT_UNAUTHORIZED), Node did provide a warning which confirmed that the env setting was being set appropriately but that it was simply not working:

(node:43294) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.

Fortunately, in the code for mockttp, I was able to find an example of how to ignore host certificate errors. This led me to the following approach:

server.thenPassThrough({
  ignoreHostCertificateErrors: ['example.local']
});

This does seem to work 🎉, but I'm confused.

  1. Why didn't the other general Node environment variable approaches work? Are those settings overridden by mockttp?
  2. Is this approach (using ignoreHostCertificateErrors) the recommended solution?

Thank you! :)

rinogo avatar Dec 22 '21 23:12 rinogo

Why didn't the other general Node environment variable approaches work? Are those settings overridden by mockttp?

Yep, exactly. Those settings set Node's defaults, but they don't override all TLS settings. Mockttp sets its own TLS configuration according to the settings its given, so that you can customize different endpoints independently.

Is this approach (using ignoreHostCertificateErrors) the recommended solution?

Right now, yes. In future I'd like to add support for configuring trusted SSL certificates for individual passthrough rules too (PRs welcome!) but that's not available yet.

pimterry avatar Dec 23 '21 18:12 pimterry

Got it - thanks for clarifying!

For what it's worth, in all of my searching, I didn't happen across any references to ignoreHostCertificateErrors. I only found it by searching the actual source code.

Given that mockttp is probably used frequently with self-signed certs, it might be good to add a short note to Setting up Mockttp.

Thanks for the cool tool! As I adapt it for my uses, I'll keep my eye open for PR opportunities.

rinogo avatar Dec 23 '21 18:12 rinogo

I am getting this type of error when redirecting matched domains to another ip (just like how you would do it via the hosts file). More documentation would be nice to have.

Thanks @rinogo for the link to the unit tests examples, this should help me along.

chrisribe avatar May 19 '22 13:05 chrisribe