Error: custom CA behind corporate proxy

[mainakae]

Hello all and congratulations for this awesome library!.

I've been experiencing some issues passing custom CA certificates to request. I followed the documentation, setting agentOptions.ca successfully in an non-proxy environment, but then I moved the code to a proxied one (proxy configured via $http_proxy), and found that it didn't work any more. Te error that returned the previously working code was that it couldn't verify the CA. After some debugging and code inspection I've summed-up the following:

1. using options.agentOptions.ca, which is the way stated in the documentation, will work in a non-proxied env, but not in a proxied one.
2. using https.globalAgent.options.ca, which is not documented, but is stated in many places (stackoverflow, forums...) as a feasible way of setting it, will work on non-proxied but won't in proxied again.
3. using options.ca, which is not documented (I had to find it inspecting code and later in some issue comments in github) WORKS IN BOTH, non-proxied and proxied environments.

The problem lies in this piece of code (or so I think)

function constructTunnelOptions(request) {
  var proxy = request.proxy

  var tunnelOptions = {
    proxy : {
      host      : proxy.hostname,
      port      : +proxy.port,
      proxyAuth : proxy.auth,
      headers   : request.proxyHeaders
    },
    headers            : request.headers,
    ca                 : request.ca,
    cert               : request.cert,
    key                : request.key,
    passphrase         : request.passphrase,
    pfx                : request.pfx,
    ciphers            : request.ciphers,
    rejectUnauthorized : request.rejectUnauthorized,
    secureOptions      : request.secureOptions,
    secureProtocol     : request.secureProtocol
  }

  return tunnelOptions
}

In order to account for other possibles sources of CA information, this code should become something like:

var tunnelOptions = {
//...
    ca                 : request.ca ||  agentOptions.ca || https.globalAgent.options.ca
//...
}

This should take the right order of priority for CAs (request > agentOptions > globalAgent). There's a problem, though: agentOptions is not accessible from constructTunnelOptions. Other alternative could be to use request.agent (agentOptions are used to construct that .agent) but then again, request.agent is constructed way after constructTunnelOptions is called, thus no luck there neither.

One point worth to be discussed, then, is if it's "sane" or semantically correct to set the CA in agentOptionswhile in a proxied environment, as there's going to be no agent involved in the communication (it instead uses a tunneled TLS connection), and that's tat. But I also find that, as request tries (and THANK YOU FOR THAT) to hide the proxy configuration from the developer, it should maintain coherence in the settings among proxied and non-proxied environments.

CONCLUSION: I think the best way to solve this issue is also the simplest: document options.ca as the right way of setting the CAs for request, as agentOptions.ca would leave uncovered proxied environments (as it has to be!). Then, if something breaks, try to fix it. But PLEASE document options.ca now, as not doing so is a defect in itself.

I've found that this lack of documentation is related to a number of other issues (#1490, #1290, #1229, #1236) and even pull-request that didn't make it to master (#1289) but fixed this issue.

[simov]

Closed via #1585