Dealing with corporate firewall adding self-signed certificates

Question

I work in a small group inside of a large company.

All network traffic goes through the company's firewall, who I think acts like a Man-in-the-middle when any traffic comes in.

One example where I see this is when using curl

c:\>curl https://www.google.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain

So I check the certificate chain with:

c:\>openssl s_client -connect google.com:443

And get back (with some details removed)

Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/My Company's Intermediate CA
 1 s:/C=US/My Company's Intermediate CA
   i:/C=US/My Company's Root CA
 2 s:/C=US/My Company's Root CA
   i:/C=US/My Company's Root CA

This provides a challenge for using package managers like npm or composer because everything https fails due to the self-signed certificate error, or simply not being able to verify the certificate

I can get npm to work by setting the config values ca="" and strict-ssl=false, but that's an insecure practice.

I'd like our development team to have access to package managers, specifically npm and composer

Given I'm not going to be able to change how the firewall works, are there any changes can I make on the local machine (Windows 7) or VM (Windows server 2008 R2) that will allow our development team to fully utilize these package managers securely.

Thanks!!

score 6 · Answer 1 · answered Jan 31 '17 at 13:26

I asked around at the company and eventually talked to the right person who said:

All our internet traffic passes through COMPANY. COMPANY intercepts all HTTPS traffic, replaces the certificate and then adds their own certificate. This is so they can decrypt and analyze all encrypted traffic (essentially a man in the middle attack).
The COMPANY root certificate must be trusted to avoid warnings and errors.

I got a link to where I could download the proper pem key.

Using that key I was able to set the proper config options for the various package managers.

npm

npm config set cafile C:\\path\\to\\cert.pem
npm config set strict-ssl true

(Needed double back slashes in windows)

composer

Had to set certain values in php.ini for composer to work.

openssl.cafile = C:\path\to\cert.pem
curl.cainfo = C:\path\to\cert.pem

For any other programs that threw a certificate error (not verified, self-signed, etc), I ended up finding some sort of config setting where I could point to that pem file and get all to work.

Your suggestion gave me the hint. For me `--cacert` option was required to specify the PEM file on Win10 instance. — Technext, Oct 04 '17 at 12:11
Can the company do that even with websites that have HSTS enabled? — fractals, Jul 03 '19 at 07:33

Dealing with corporate firewall adding self-signed certificates

1 Answers1