From ca4a3b1f8b6e39861ebaa08191cbd59723dcc28d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andrzej=20Bro=C5=84ski?= Date: Tue, 1 Apr 2025 10:33:11 +0200 Subject: [PATCH 1/3] Add `http.proxy-cainfo` config for proxy certs This adds a `http.proxy-cainfo` option to Cargo which reads CA information from a bundle to pass through to the underlying `libcurl` call. This should allow configuration of Cargo in situations where SSL proxy is used. --- src/cargo/util/context/mod.rs | 1 + src/cargo/util/network/http.rs | 4 ++++ src/doc/src/reference/config.md | 9 +++++++++ src/doc/src/reference/environment-variables.md | 2 ++ 4 files changed, 16 insertions(+) diff --git a/src/cargo/util/context/mod.rs b/src/cargo/util/context/mod.rs index 6764e596151..f81da0ed8ba 100644 --- a/src/cargo/util/context/mod.rs +++ b/src/cargo/util/context/mod.rs @@ -2608,6 +2608,7 @@ pub struct CargoHttpConfig { pub low_speed_limit: Option, pub timeout: Option, pub cainfo: Option, + pub proxy_cainfo: Option, pub check_revoke: Option, pub user_agent: Option, pub debug: Option, diff --git a/src/cargo/util/network/http.rs b/src/cargo/util/network/http.rs index 1b3af2dc1fc..bdd4274583e 100644 --- a/src/cargo/util/network/http.rs +++ b/src/cargo/util/network/http.rs @@ -61,6 +61,10 @@ pub fn configure_http_handle(gctx: &GlobalContext, handle: &mut Easy) -> CargoRe let cainfo = cainfo.resolve_path(gctx); handle.cainfo(&cainfo)?; } + if let Some(proxy_cainfo) = &http.proxy_cainfo { + let proxy_cainfo = proxy_cainfo.resolve_path(gctx); + handle.proxy_cainfo(&format!("{}", proxy_cainfo.display()))?; + } if let Some(check) = http.check_revoke { handle.ssl_options(SslOpt::new().no_revoke(!check))?; } diff --git a/src/doc/src/reference/config.md b/src/doc/src/reference/config.md index bb15e55ab69..b9b643032a8 100644 --- a/src/doc/src/reference/config.md +++ b/src/doc/src/reference/config.md @@ -107,6 +107,7 @@ ssl-version.min = "tlsv1.1" # minimum TLS version timeout = 30 # timeout for each HTTP request, in seconds low-speed-limit = 10 # network timeout threshold (bytes/sec) cainfo = "cert.pem" # path to Certificate Authority (CA) bundle +proxy-cainfo = "cert.pem" # path to proxy Certificate Authority (CA) bundle check-revoke = true # check for SSL certificate revocation multiplexing = true # HTTP/2 multiplexing user-agent = "…" # the user-agent header @@ -708,6 +709,14 @@ Sets the timeout for each HTTP request, in seconds. Path to a Certificate Authority (CA) bundle file, used to verify TLS certificates. If not specified, Cargo attempts to use the system certificates. +#### `http.proxy-cainfo` +* Type: string (path) +* Default: none +* Environment: `CARGO_HTTP_PROXY_CAINFO` + +Path to a Certificate Authority (CA) bundle file, used to verify proxy TLS +certificates. + #### `http.check-revoke` * Type: boolean * Default: true (Windows) false (all others) diff --git a/src/doc/src/reference/environment-variables.md b/src/doc/src/reference/environment-variables.md index 0e1dcd3435e..8a1627d3a05 100644 --- a/src/doc/src/reference/environment-variables.md +++ b/src/doc/src/reference/environment-variables.md @@ -105,6 +105,7 @@ In summary, the supported environment variables are: * `CARGO_HTTP_PROXY` --- Enables HTTP proxy, see [`http.proxy`]. * `CARGO_HTTP_TIMEOUT` --- The HTTP timeout, see [`http.timeout`]. * `CARGO_HTTP_CAINFO` --- The TLS certificate Certificate Authority file, see [`http.cainfo`]. +* `CARGO_HTTP_PROXY_CAINFO` --- The proxy TLS certificate Certificate Authority file, see [`http.proxy-cainfo`]. * `CARGO_HTTP_CHECK_REVOKE` --- Disables TLS certificate revocation checks, see [`http.check-revoke`]. * `CARGO_HTTP_SSL_VERSION` --- The TLS version to use, see [`http.ssl-version`]. * `CARGO_HTTP_LOW_SPEED_LIMIT` --- The HTTP low-speed limit, see [`http.low-speed-limit`]. @@ -171,6 +172,7 @@ In summary, the supported environment variables are: [`http.proxy`]: config.md#httpproxy [`http.timeout`]: config.md#httptimeout [`http.cainfo`]: config.md#httpcainfo +[`http.proxy-cainfo`]: config.md#httpproxy-cainfo [`http.check-revoke`]: config.md#httpcheck-revoke [`http.ssl-version`]: config.md#httpssl-version [`http.low-speed-limit`]: config.md#httplow-speed-limit From 9a77461bdc8e822a3a1935861eb551a94052ca0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andrzej=20Bro=C5=84ski?= Date: Thu, 8 May 2025 11:36:57 +0200 Subject: [PATCH 2/3] Make `http.proxy-cainfo` fallback to `http.cainfo`, like curl. --- src/cargo/util/network/http.rs | 8 +++++++- src/doc/src/reference/config.md | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/cargo/util/network/http.rs b/src/cargo/util/network/http.rs index bdd4274583e..38004891e23 100644 --- a/src/cargo/util/network/http.rs +++ b/src/cargo/util/network/http.rs @@ -61,7 +61,13 @@ pub fn configure_http_handle(gctx: &GlobalContext, handle: &mut Easy) -> CargoRe let cainfo = cainfo.resolve_path(gctx); handle.cainfo(&cainfo)?; } - if let Some(proxy_cainfo) = &http.proxy_cainfo { + // Use `proxy_cainfo` if explicitly set; otherwise, fall back to `cainfo` as curl does #15376. + let effective_proxy_cainfo = match (&http.proxy_cainfo, &http.cainfo) { + (Some(p), _) => Some(p), + (None, Some(ca)) => Some(ca), + _ => None, + }; + if let Some(proxy_cainfo) = effective_proxy_cainfo { let proxy_cainfo = proxy_cainfo.resolve_path(gctx); handle.proxy_cainfo(&format!("{}", proxy_cainfo.display()))?; } diff --git a/src/doc/src/reference/config.md b/src/doc/src/reference/config.md index b9b643032a8..3a245edce13 100644 --- a/src/doc/src/reference/config.md +++ b/src/doc/src/reference/config.md @@ -711,7 +711,7 @@ certificates. If not specified, Cargo attempts to use the system certificates. #### `http.proxy-cainfo` * Type: string (path) -* Default: none +* Default: falls back to [`http.cainfo`] if not set * Environment: `CARGO_HTTP_PROXY_CAINFO` Path to a Certificate Authority (CA) bundle file, used to verify proxy TLS From 85c0108d43797e2430551661286abeb1312cc247 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andrzej=20Bro=C5=84ski?= Date: Thu, 8 May 2025 11:56:47 +0200 Subject: [PATCH 3/3] Fix linting. --- src/doc/src/reference/config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/doc/src/reference/config.md b/src/doc/src/reference/config.md index 3a245edce13..59afb85cdd3 100644 --- a/src/doc/src/reference/config.md +++ b/src/doc/src/reference/config.md @@ -711,7 +711,7 @@ certificates. If not specified, Cargo attempts to use the system certificates. #### `http.proxy-cainfo` * Type: string (path) -* Default: falls back to [`http.cainfo`] if not set +* Default: falls back to `http.cainfo` if not set * Environment: `CARGO_HTTP_PROXY_CAINFO` Path to a Certificate Authority (CA) bundle file, used to verify proxy TLS