Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid peer certificate: BadSignature with Cloudflare WARP #21169

Open
yacinehmito opened this issue Nov 11, 2023 · 4 comments
Open

invalid peer certificate: BadSignature with Cloudflare WARP #21169

yacinehmito opened this issue Nov 11, 2023 · 4 comments
Labels
feat new feature (which has been agreed to/accepted) tls Issues related to TLS implementation

Comments

@yacinehmito
Copy link
Contributor

yacinehmito commented Nov 11, 2023

Disclaimer: It's a bit hard to know whether the root cause is in Deno's scope or Cloudflare's scope, so I am posting an issue both in here and with Cloudflare support.

Description

When using Cloudflare WARP as an HTTPS proxy, deno is unable to fetch any resources as it errors with invalid peer certificate: BadSignature regardless of how Cloudflare's certificate is provided.

Context

Cloudflare WARP is a VPN client that can also act as an HTTPS proxy in an Enterprise setting (this is part of the Cloudflare Zero Trust suite of product). Effectively, Cloudflare acts as a man-in-the-middle for all HTTPS traffic when Cloudflare WARP is activated and configured to run as an HTTPS proxy. It therefore requires the endpoint to trust a certificate from Cloudflare, which can be downloaded here.

When using Deno, this certificate can be provided in one of three ways:

  1. Along the --cert CLI parameter.
  2. By setting the environment variable DENO_CERT to the path of the certificate.
  3. By installing the certificate to the system's trust store and setting the environment variable DENO_TLS_CA_STORE to system.

Regardless of how the certificate is provided, this fails. It may either be because of a defect of Cloudflare's proxy, or a defect in Deno's handling of custom certificates.

Steps to reproduce

  1. Install Cloudflare WARP, login to the appropriate Cloudflare team and configure the WARP client to enable the L7 proxy in the Zero Trust dashboard. Make sure that "Zero Trust" is toggled on the Cloudflare WARP client.
  2. Download the Cloudflare certificate in PEM format. Let's assume that it is stored at ~/cloudflare.pem.
  3. Write a script that depends on a remote module that has not yet been cached (see example script). Let's assume that it is stored at ~/script.ts.
  4. (Optionally: Bust the cache with rm -r $(deno info --json | grep denoDir | cut -d: -f2 | sed 's/[" ,]//g').)
  5. Run deno run --cert ~/cloudflare.pem ~/script.ts.

This will fail with the following output:

error: Import 'https://deno.land/std@0.206.0/uuid/mod.ts' failed:
error sending request for url (https://deno.land/std@0.206.0/uuid/mod.ts):
error trying to connect:
invalid peer certificate: BadSignature

Example script

import { v1 } from "https://deno.land/std@0.206.0/uuid/mod.ts";

console.log(v1.generate());

System settings

Output of deno --version:

deno 1.38.1 (release, aarch64-apple-darwin)
v8 12.0.267.1
typescript 5.2.2

OS: macOS Ventura 13.6.1

Cloudflare WARP version: 2023.9.252.0 (20230927.21)

@yacinehmito yacinehmito changed the title invalid peer certificate: UnknownIssuer with Cloudflare WARP invalid peer certificate: BadSignature with Cloudflare WARP Nov 11, 2023
@yacinehmito
Copy link
Contributor Author

I managed to reproduce with rustls' example program:

./target/debug/tlsclient-mio --verbose --cafile ~/cloudflare.pem deno.land --http

I'll keep this issue open, unless asked otherwise, and will direct my investigations to rustls.

@yacinehmito
Copy link
Contributor Author

yacinehmito commented Nov 12, 2023

I think I found the issue: the signature algorithm of the Cloudflare certificate is ECDSA Signature with SHA-512 (1.2.840.10045.4.3.4). It is not supported by rustls.

The issue to track progress in rustls: rustls/rustls#1367
The PR to track progress in ring: briansmith/ring#1631

@mmastrac mmastrac added feat new feature (which has been agreed to/accepted) tls Issues related to TLS implementation unactionable and removed unactionable labels Nov 13, 2023
@mmastrac
Copy link
Contributor

We'll keep an eye on this an update ring/rustls as needed. Thanks for researching it.

@ostrolucky
Copy link

FYI rustls supports this since 0.23 (release Feb 29)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat new feature (which has been agreed to/accepted) tls Issues related to TLS implementation
Projects
None yet
Development

No branches or pull requests

4 participants