How to add a Firewall self signed certificate to the trusted store used by Elixir, Erlang and Mix?

At work we run behind a Firewall, thus for any Software we use we need to tell it to trust in the self signed certificate issued by the Firewall provider.

So the Firewall does the https termination, inspects the request content with an anti-virus software, and if no virus is found it will re-encrypt the request with a self signed certificate and sends the request to the intended destination in our internal network, aka our computer, that have the Firewall self signed certificate installed in the trusted store of the operating system and in the trusted store of each software we use, that does not use the operating system trusted store.

Normally I am able to find the solution in Google, but for Elixir and Mix I am not finding it… So does Elixir, Mix or Erlang provide an option to add a self signed certificate to their trusted store, just like in Python or Node?

What I am not looking for:

  • how to disable TLS checking in git, mix or any other place, because that would defeat the purpose of having a Firewall at work.
  • How to setup the proxy environment variables, because we are not using one.

Mix doesn’t verify certificates for its HTTP requests, instead it relies on everything it fetches being signed / checksummed with Elixir’s private key.

Hex ships with its own certificate store that cannot be changed, but there is an open issue for allowing a custom certificate store: https://github.com/hexpm/hex/issues/690.

If you are making your own HTTP requests you can usually pass down SSL options including your custom certificates to the HTTP client library you are using.

I cannot even install Hex, so I have not gone that far yet.

Using HEX_UNSAFE_HTTPS is completely out of question, because that means loosing our Security certification.

Unfortunately in that case, you have to wait until the linked feature is implemented or have your business contribute to it. The hex team is always happy to help and give guidance to anyone that is willing to contribute.

This a GO lang shop, and I am trying to sneak Elixir in for a demo project :wink:

So no chance to have the business contributing to it, and I am a very beginner in the Elixir language, thus I am not the best choice for this feature implementation.

/me is twitching…

That sounds absolutely horrifying and breaking of security… o.O

2 Likes

The opposite, if you are in control of the Firewall server, it runs inside of our network, and is a requirement to obtain the first level of security certification.

We already caught some compromised NodeJS packages with the Firewall anti virus inspection, before I was aware of them via other channels.

That’s what sounds like the security issue though, it’s a single point of failure on a single certificate that exists in a machine on the internal network, if it was broken in to then everything can be taken over with relative ease then.

I haven’t seen any with viruses, only things like blockchain miners and so forth. But then again nothing node is run in production here, very little is run in production and each runs within their own VM, and dev things are run in docker, including compilation.

Having a single certificate actually stored on a local system that has access to everything sounds absolutely horrifying, I’m not sure how that could be considered secure…

The certificate does not open doors to anything in the office, only encrypts communication between the Firewall and the browser on each computer inside the network, and if you change the certificate in the Firewall you need to replace it in all computers, otherwise the browser will not trust the connection.

So do you really think that third party certificates are more trustworthy? Just search google for certificate authorities compromised or certificate authorities misuse, and then if you will see why is important in a corporate office environment to guarantee the security in edge of the network serving it.

If you ask me if is bullet proof, I will tell you immediately, that is not, but is more secure to have a Firewall inspecting the traffic, then not having one.

Now if you ask me if is easy to live with, I will tell you immediately that is not… indeed is hard, because each software maker loves to ship its own certificated trusted store, and to make it worse, lots of them don’t give an option to add certificate authorities to it, or make it to hard, and in the end the first solution presented by them to overcome the limitation is to add a flag to disable certificate validation… really!!!

If an attacker gets inside the office network, the Firewall certificate is the last of my concerns, because he already had access to much more important things.

Anyway the Firewall is only the first line of defense, other measures are in place, and the last one is Anti virus running in the PC, that for my surprise even caught stuff inside Docker containers :wink:

We need to use Node to build demos in order developers using it can use our Security product, but just to be clear we are talking about an office network, not the cloud network where we run our production stuff.

and I said in reply:

But looking to the code it does not look that hard, thus I will give it a try :wink:

Do you want to provide some guidelines and directions?