Ability to provide custom CA Certificate bundle for request validation

[gschier]

libcurl provides a way to specify a CA bundle used for requests (CURLOPT_CAINFO). Currently, this is being used to provide a base CA bundle for Windows and Linux, but a user-supplied bundle could be concatenated to this fairly easily.

To-Do

• Add setting to workspace settings to import a custom CA bundle (PEM format)
• Add logic to concatenate user-supplied bundle to base bundle (if Windows or Linux). On Mac, simply provide user-supplied bundle

Unknowns

Since Curl retrieve the base CA bundle from the OS on Mac, it's unclear whether or not setting CURLOPT_CAINFO will override this bundle entirely or add to it. This needs to be tested.

[aaron-trout]

Providing a CA on a per environment or per request basis might provide better flexibility than per workspace. For example talking to Kubernetes API and providing the cert to validate with.

[coderjoe]

This is something I'd be very interested in having. I'd love to give a PR a try.

[gschier]

@aaron-trout I agree that it's more flexible but I don't think the use case for a global CA cert is much more common. If we see enough desire to add per-request CA certs later, we can come up with a mechanism to do so.

@coderjoe are you still wanting to give this a try? It might end up being quite a bit of work but I'm happy to point you in the right direction. I'm picturing a new tab in the workspace setting (beside Client Certificates) to upload additional CA certificates.

[coderjoe]

@gschier absolutely still interested. I'll likely need help with testing on Mac OSX as I only have Linux and Windows machines.

[gschier]

Sure, I could definitely help test that out 😄

[coderjoe]

Sorry for the delay. I very much appreciate the guidance/suggestions. If I run into any snags or questions I'll be sure to ask here.

Edit: Right now I'm using the existing certificate model and UI as a template to allow people to add CA Bundles. It's making it pretty easy to jump right in.

[gschier]

Nice! 👍 😄

[macbookandrew]

I’d love to see this feature too and can help test it out.

As a workaround, you can also install curl using homebrew on macOS and it appears to use the macOS keychain CA certificate store instead of whatever the native curl uses, so if you have a custom cert marked as trusted in your Keychain.app, Insomnia will connect without a certificate error.

[coderjoe]

As is probably obvious by lack of commits, I ran into some snags and haven't had time to come back to this issue. If anybody else wants to give it a whack please feel free. I have no significant progress to share at this time.

I am still interested in the feature, it just isn't really a critical feature for me anymore. Maybe I'll have time later this year to revisit it.

[jsfrerot]

Just had the issue with our internal root CA. Would be nice to make this work.

[Vasile-Ciorna]

Yes have this issue as well. Is there any progress on this? Importing CA bundles is something which is useful and think should be included in the app.

[lsuttle]

Another +1, I cannot use this without this functionality.

[develohpanda]

Hi @lsuttle, there is a PR currently open but is blocked on testing and validating the new functionality (#2020 (comment)). Is this something you may be able to help with? If so, I can prepare a bundle to install on your OS.

[ryanprior]

I could help with validation. I'm on elementary OS 5.1.5 (like Ubuntu Precise) and I'm using mkcert as my local CA for API testing. If you can provide a bundle I'd be happy to try it with that configuration.

[lsuttle]

Sure I can give it a try, I have most recent Windows 10 install.

[bmarwell]

Hi, is this still in consideration? Thanks! :)

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[ryanprior]

Still relevant, please leave open =D

[develohpanda]

Yis! Mistakenly marked as stale 😞

[bmarwell]

Woohooo, feature accepted! Thanks! 🥳

[bmarwell]

Why was #675 closed?

[wdawson]

We are moving all ideas and feature requests to GitHub Discussions to provide a better experience. We'll be just as active here going forward but it helps us segment bugs and other issues from ideas and feedback.

[gendergap]

What I don't understand yet is why Insomnia ships its own CA trust store in the first place. Both Windows and Linux have builtin certificate stores, which are often managed extensively by IT departments to include custom CAs and most common official ones.

If Insomnia would simply use the OS trust store, the need for a custom implementation in Insomnia would go away. Everybody who needs a special CA certificate could simply add it to the OS trust store (where it usually is already present, most issues here seem to be that custom CAs are not present in Insomnia).

[coolhome]

@gendergap I believe the problem here is with cURL which is used instead of nodejs http. For the longest time cURL only was natively supported Mac OS X Keychain. I believe there is now Windows support.

https://curl.se/docs/sslcerts.html

[jarrett-confrey]

maybe something like this? #4125

[RaVbaker]

@wdawson Any chance you could have a look at this idea above? #4125 It would solve the issue at least at minimal level.

[wdawson]

Yeah, I think we have alignment within the team that this is the direction we want to go. We're working on some large networking refactors (along with some big dependency upgrades, like Electron) where we may abandon node-libcurl. However, we're still early there. I expect changes to help with this will be much easier to implement in a cross-platform way once we get a bit further along and make a final call about the app's networking architecture.

[bmarwell]

Hi @wdawson, can you kindly give us an update? This issue has been open since 2017(!) and there is only one hacky workarounds on Linux and Mac, but this is still not something most users are happy with. Also, there's no known workaround for Windows users.

Thanks!
Ben

The hacky Un*x workaround: https://kdecherf.com/blog/2018/07/13/force-insomnia-to-use-the-system-trust-store/

[ErikKringen]

With #4738 all of the hacks related to setting the ca-certs.pem in a temp directory no longer work. That leaves the only option to disable SSL validation completely when working within a company that has its own internal CA, which is less than ideal from a security standpoint.

[jvdbrink-netpulse]

This is also where I stranded.. had to disable ssl validation

[sysarch-repo]

I also confirm that this behavior has changed as of 2022.4.2. With this, the security in conjunction with the use of custom CAs is compromised.

[Finkregh]

i suspect that this is a complete deal-breaker for quite some people... :|

[ttelford]

Disabling x.509 Certificate validation is asinine.

I'd like to eval Insomnia, but I can't even do that due to this, as I have to use an internal CA.

[joepdegroot]

Is this issue this being considered? Had to downgrade to 2022.3.0 after an upgrade to 2022.6.0, which no longer included the ability to replace the ca-certs.pem temp file.

Moreover, it would be great if next to the 'client certificates' there is an option to just add custom CA certificates...

[jackkav]

Yes @joepdegroot we're working on it in #5498