mamba icon indicating copy to clipboard operation
mamba copied to clipboard
verified publisher icon mamba-org

Support ssl_verify: 'truststore'

Open zeehio opened this issue 2 years ago • 4 comments

Hi,

On (typically corporate) environments, we sometimes find that all traffic is routed through a MITM HTTPS server, that decrypts, inspects and re-encrypts all https traffic. This MITM inspector generates custom SSL certificates, and the self-signed Certificate Authority that signs those custom certificates is trusted in all company laptops. Typically it is installed in the OS trust store.

Conda offers the ssl_verify option, that may be true, false, or a string representing a path to a certificate file.

I submitted to conda (and it seems close to merge) pull request:

  • https://github.com/conda/conda/pull/13075

In that PR, conda adds support for ssl_verify: 'truststore' that tells conda to use the operating system trust store. On Windows and Mac OS it uses the native operating system APIs and on Linux it uses OpenSSL set CA certificates. All of this happens through the truststore python package, developed by the maintainer of urllib3 and requests python packages.

I just thought that since one of mamba objectives is to be a drop-in replacement for conda, it should provide similar support.

You know mamba much better than I. I took a quick look and I saw mamba uses the curl library for downloads. I don't know how the curl library that you use is built. If it is built to use the operating system certificate store (on Windows I believe it is called "sChannel"?) then the only thing you'd need to do is to treat ssl_verify: 'truststore' as ssl_verify: true.

Otherwise I'm afraid I don't know curl enough to know what would need to be done.

I thought you wanted to know so mamba doesn't lag behind supporting the feature. If there is anything I can do to assist please tell me.

Thanks for your time and work on mamba!

zeehio avatar Sep 21 '23 05:09 zeehio

Thank you so much!

Indeed I think it is built with sChannel, I can look it up on conda-forge or just try it out.

jonashaag avatar Sep 21 '23 05:09 jonashaag 

           curl version : libcurl/8.1.2-DEV Schannel zlib/1.2.13

jonashaag avatar Sep 21 '23 09:09 jonashaag

Great!

I guess the current behaviour is to treat ssl_verify: 'truststore' as if 'truststore' was a path to a custom certificate (since it's a string).

Mamba would need to treat ssl_verify: 'truststore' as if it was ssl_verify: true.

I don't have much time to make a patch right now. It would be nice if anyone could submit a small PR with the change

Something like adding a test like:

 rc = "ssl_verify: truststore"; 
 load_test_config(rc); 
 CHECK_EQ(ctx.remote_fetch_params.ssl_verify, "<system>");

https://github.com/mamba-org/mamba/blob/044824b6b24a33e4532fab2d07bf0ea47f7dd0a0/libmamba/tests/src/core/test_configuration.cpp#L599-L601

And possibly changing line:

https://github.com/mamba-org/mamba/blob/044824b6b24a33e4532fab2d07bf0ea47f7dd0a0/mamba/mamba/utils.py#L262

so it says:

elif context.ssl_verify not in (True, 'truststore'):

zeehio avatar Sep 21 '23 13:09 zeehio

I just ran into this issue. After configuring conda config --set ssl_verify truststore according to the docs, a mamba update mamba(for example) results in ssl_verify does not contain a valid file path. (mamba 1.5.9). My .condarc has, as expected

channels: [conda-forge]
ssl_verify: truststore

Changing this line into ssl_verify: true makes mamba work, but breaks conda as it does not use the OS trust store anymore.

bilderbuchi avatar Oct 29 '24 08:10 bilderbuchi

This is also an issue on macOS. Thought there was an issue with my Keychain that had the CA cert bundle, but it turns out mamba doesn't like truststore. The command was successful when I used conda. I am currently using mamba 1.5.12.

Has anyone supplied a patch yet?

millsks avatar Apr 10 '25 22:04 millsks