Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add environment variables that enable to trust additional certificates from the file system. #86243

Closed
tmds opened this issue May 15, 2023 · 11 comments
Closed

Add environment variables that enable to trust additional certificates from the file system. #86243

tmds opened this issue May 15, 2023 · 11 comments
Assignees
@bartonjs
Labels
area-System.Security needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration
Milestone
Future

Comments

@tmds
Copy link
Member

tmds commented May 15, 2023

With OpenSSL the SSL_CERT_DIR and SSL_CERT_FILE envvars enable overriding the system certificates trusted by the .NET application.

This is a request to, instead of overriding all system certificates, enable adding additional certificates from the file system using environment variables:

  • DOTNET_SSL_CERT_DIRS: a colon separate list of directories certificates are loaded from.
  • DOTNET_SSL_CERT_FILES: a colon separate list of files certificates are loaded from.

Having a 'simple' way to extend the trusted certificates may provide a more secure alternative than opting into to insecure communication (e.g. NuGet/Home#12542).

cc @bartonjs @vcsjones @blowdart
@ghost ghost added the untriaged New issue has not been triaged by the area owner label May 15, 2023
@ghost
Copy link

ghost commented May 15, 2023

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

With OpenSSL the SSL_CERT_DIR and SSL_CERT_FILE envvars enable overriding the system certificates trusted by the .NET application.

This is a request to, instead of overriding all system certificates, enable adding additional certificates from the file system using environment variables:

  • DOTNET_SSL_CERT_DIRS: a colon separate list of directories certificates are loaded from.
  • DOTNET_SSL_CERT_FILES: a colon separate list of files certificates are loaded from.

Having a 'simple' way to extend the trusted certificates may provide a more secure alternative than opting into to insecure communication (e.g. NuGet/Home#12542).

cc @bartonjs @vcsjones @blowdart

Author: tmds
Assignees: -
Labels:

area-System.Security
Milestone: -

@tmds tmds mentioned this issue Jun 8, 2023
Merged
@joelverhagen
Copy link
Member

Yes, I love this idea. Would there be an expectation that DOTNET_SSL_CERT_DIRS and DOTNET_SSL_CERT_FILES work the same on Windows? Or would this be an OpenSSL-only hook? Perhaps I am wrong but SSL_CERT_DIR and SSL_CERT_FILE only for macOS and Linux?

@tmds
Copy link
Member Author

tmds commented Jun 15, 2023
edited
Loading

The proposal is meant for this to work cross-platform, so on Windows too.

@jeffhandley
Copy link
Member

Anything where .NET augments or changes the logic for trusted certificate comes with the risk of support or security issues, so it's ideal if we're delegating that work to the underlying system as much as possible, keeping it as predictable and consistent as we can.

Instead of using an environment variable to inform .NET how to augment the list of trusted certificates, would it be possible in these scenarios to add the additional certificates into the system's trusted certificate store? Are there other processes running that should not respect the additional certificates as trusted?

@jeffhandley jeffhandley added needs-author-action An issue or pull request that requires more info or actions from the author. and removed untriaged New issue has not been triaged by the area owner labels Jun 28, 2023
@ghost
Copy link

ghost commented Jun 28, 2023

This issue has been marked needs-author-action and may be missing some important information.

@tmds
Copy link
Member Author

tmds commented Jun 28, 2023

Instead of using an environment variable to inform .NET how to augment the list of trusted certificates, would it be possible in these scenarios to add the additional certificates into the system's trusted certificate store? Are there other processes running that should not respect the additional certificates as trusted?

I think the main issues are:

  • permission: you need root to add certificates.
  • UX: it depends on the distro how to do this, and users don't know how to do it.

Unfortunately, this makes users go for the "--insecure" option when it is available (NuGet/Home#12542).

@jeffhandley jeffhandley added needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration and removed needs-author-action An issue or pull request that requires more info or actions from the author. labels Jun 28, 2023
@jeffhandley jeffhandley added this to the Future milestone Jun 28, 2023
@tmds
Copy link
Member Author

tmds commented Aug 22, 2023

Note that handing of SSL_CERT_DIR (with OpenSSL) is handled by runtime itself. So any security considerations already apply to that.

The request here is for something that it additive, and that works cross-platform.

@jeffhandley
Copy link
Member

Assigned to @bartonjs to revisit triage of this. Do you think we'd consider this, @bartonjs?

@tmds
Copy link
Member Author

tmds commented Feb 9, 2025

In #92920 we've added support for SSL_CERT_DIR to accept multiple directories. This enabled the use-case on Linux and also on container-based systems (Kubernetes, CI, ...).

Perhaps that is sufficient to close this issue.

@joelverhagen
Copy link
Member

IMO this issue is about cross-platform support (full runtime support, all platforms). If is #92920 is Linux + container specific, then Windows and macOS are still not able to override trusted certificates with an environment variable (apologies if I misunderstood). For that reason, it seems like this issue stay open.

In particular, if you want to trust an internal NuGet package feed with a private CA for SSL certs, you have to "mess up" your Windows trust store, rather than being able to scope the trust change to one process with an env var.

@bartonjs
Copy link
Member

I don't think we have enough evidence that this would be goodness/desired on Windows. We only support SSL_CERT_DIR because our position on Linux is "behave like other things using system crypto", and those environment variables generally control OpenSSL under the hood.

If there's a strong cry for it, we'd definitely consider it; but for now, no.

@bartonjs bartonjs closed this as not planned Won't fix, can't repro, duplicate, stale Feb 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bartonjs bartonjs

Labels
area-System.Security needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration
Projects
None yet
Milestone
Future
Development

No branches or pull requests
4 participants
@joelverhagen @tmds @jeffhandley @bartonjs