SDK-6180 Support proxyCaCertificate for SSL-inspecting proxies#1116
Open
AakashHotchandani wants to merge 3 commits into
Open
SDK-6180 Support proxyCaCertificate for SSL-inspecting proxies#1116AakashHotchandani wants to merge 3 commits into
AakashHotchandani wants to merge 3 commits into
Conversation
Trust a customer-provided CA bundle for all outbound HTTPS (axios) for customers behind SSL-inspecting corporate proxies (Zscaler/Netskope). - New bin/helpers/caCertHelper.js: resolves the cert (env BROWSERSTACK_EXTRA_CA_CERTS > browserstack.json connection_settings. proxyCaCertificate or top-level), patches tls.createSecureContext to addCACert it (MERGED with system roots; covers every axios call and the HttpsProxyAgent tunnel in one hook), and sets NODE_EXTRA_CA_CERTS. Never throws. - Hooked in validateBstackJson (runs first in every command, before any axios call). Verified through mitmproxy: with the cert, axios requests succeed through the proxy; without it the CLI still rejects the MITM cert (cert-gated). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ny extension) caCertHelper read the cert as utf8 and addCACert'd it once: a DER (binary) cert (e.g. a Windows .cer export) was corrupted/dropped, and a multi-cert PEM bundle had only its first cert trusted. Added loadCaCertsAsPem (content-sniffs PEM single/bundle vs DER, converting DER->PEM via base64 wrap) and addCACert each cert. NODE_EXTRA_CA_CERTS now points at a PEM file (the customer's path when already PEM, else a PEM-converted temp) since Node can't load a raw DER through that var. So .pem/.crt/.cer/.der all work regardless of extension. Verified addCACert accepts both PEM and DER inputs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… 0600 + O_EXCL) Security review flagged the predictable temp path used for NODE_EXTRA_CA_CERTS when converting a DER cert. Now write into a fresh owner-only dir (fs.mkdtempSync) and open the file with O_EXCL|O_NOFOLLOW at mode 0600, preventing a local pre-plant/symlink-race on the file the process trusts as a CA. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is this about?
Adds
proxyCaCertificatesupport so the Cypress CLI works behind SSL-inspecting corporate proxies (Zscaler/Netskope/Forcepoint).proxyCaCertificate(path to a PEM CA), read fromconnection_settings.proxyCaCertificate(or top-level) inbrowserstack.json; envBROWSERSTACK_EXTRA_CA_CERTSoverrides.How
The CLI makes outbound HTTPS via
axiosacross ~10 files (some viaHttpsProxyAgent, some direct), so rather than patch each:bin/helpers/caCertHelper.jspatchestls.createSecureContextonce andaddCACerts the customer cert — honored by every axios call and the proxy tunnel, merged with default roots. Also setsNODE_EXTRA_CA_CERTS.validateBstackJson(runs first in every command, before any axios call).Verification (mitmproxy SSL-inspecting proxy)
Drove the real
caCertHelper+axiosthrough mitmproxy: without the cert →UNABLE_TO_VERIFY_LEAF_SIGNATURE; with it → success (HTTP 404 through the proxy). Cert-gated: without the cert the CLI still rejects the MITM cert; merge keeps public roots.Related Jira
🤖 Generated with Claude Code